0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
14/11/2023, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Size

2.9MB
MD5

26ee73bbb953a8cad4eb15508ee2fa71
SHA1

12c5f6a6f74d1828ef954b8251f511bf683f0bd5
SHA256

0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc
SHA512

d75fbcfbc3a728ef3fa4588f12a2c31e5fd8fedde1911aadc5398566b202001d8b827b8152c280c9686ae025f482454e9c76245e4175901e605c1316a740095e
SSDEEP

12288:zXgvmzFHi0mo5aH0qMzd5807FLPJQPDHvd:zXgvOHi0mGaH0qSdPFt4V

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ycfsu.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ycfsu.exe

Adds policy Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemelrfkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshguhcojxjdwimkv.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjeoxownxfvk = "lcsshvreapcxrejiui.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemelrfkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcsshvreapcxrejiui.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjeoxownxfvk = "cshguhcojxjdwimkv.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjeoxownxfvk = "yslogxwmldtroemodumgz.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjeoxownxfvk = "vkywjvpauhsldoro.exe"	ycfsu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemelrfkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcuwndbqofurncjkyofy.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemelrfkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcsshvreapcxrejiui.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemelrfkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshguhcojxjdwimkv.exe"	ycfsu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjeoxownxfvk = "jcuwndbqofurncjkyofy.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemelrfkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wofgwliwtjxtociivka.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjeoxownxfvk = "cshguhcojxjdwimkv.exe"	ycfsu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemelrfkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkywjvpauhsldoro.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjeoxownxfvk = "yslogxwmldtroemodumgz.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemelrfkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wofgwliwtjxtociivka.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjeoxownxfvk = "jcuwndbqofurncjkyofy.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemelrfkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkywjvpauhsldoro.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjeoxownxfvk = "vkywjvpauhsldoro.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemelrfkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yslogxwmldtroemodumgz.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjeoxownxfvk = "lcsshvreapcxrejiui.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\myjeoxownxfvk = "yslogxwmldtroemodumgz.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vemelrfkyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yslogxwmldtroemodumgz.exe"	ycfsu.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ycfsu.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ycfsu.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ycfsu.exe

Executes dropped EXE 2 IoCs

pid	Process
2656	ycfsu.exe
2616	ycfsu.exe

Loads dropped DLL 4 IoCs

pid	Process
3040	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
3040	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
3040	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
3040	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cshguhcojxjdwimkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkywjvpauhsldoro.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qajckrgmbjp = "jcuwndbqofurncjkyofy.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cshguhcojxjdwimkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshguhcojxjdwimkv.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkywjvpauhsldoro = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkywjvpauhsldoro.exe ."	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qajckrgmbjp = "yslogxwmldtroemodumgz.exe"	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nyicltjqgpwl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkywjvpauhsldoro.exe ."	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkywjvpauhsldoro = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wofgwliwtjxtociivka.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qeroaleohtdvmwy = "cshguhcojxjdwimkv.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nyicltjqgpwl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcsshvreapcxrejiui.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyicltjqgpwl = "jcuwndbqofurncjkyofy.exe ."	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\qajckrgmbjp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wofgwliwtjxtociivka.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nyicltjqgpwl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yslogxwmldtroemodumgz.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qajckrgmbjp = "vkywjvpauhsldoro.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qajckrgmbjp = "cshguhcojxjdwimkv.exe"	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\namitdvewhqhxg = "cshguhcojxjdwimkv.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkywjvpauhsldoro = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcuwndbqofurncjkyofy.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\namitdvewhqhxg = "wofgwliwtjxtociivka.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyicltjqgpwl = "lcsshvreapcxrejiui.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qeroaleohtdvmwy = "wofgwliwtjxtociivka.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\namitdvewhqhxg = "yslogxwmldtroemodumgz.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qajckrgmbjp = "yslogxwmldtroemodumgz.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qajckrgmbjp = "wofgwliwtjxtociivka.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyicltjqgpwl = "jcuwndbqofurncjkyofy.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\qajckrgmbjp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkywjvpauhsldoro.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyicltjqgpwl = "vkywjvpauhsldoro.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nyicltjqgpwl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcuwndbqofurncjkyofy.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\namitdvewhqhxg = "wofgwliwtjxtociivka.exe"	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nyicltjqgpwl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wofgwliwtjxtociivka.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qeroaleohtdvmwy = "lcsshvreapcxrejiui.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkywjvpauhsldoro = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshguhcojxjdwimkv.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\namitdvewhqhxg = "yslogxwmldtroemodumgz.exe"	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\qajckrgmbjp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcuwndbqofurncjkyofy.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qeroaleohtdvmwy = "jcuwndbqofurncjkyofy.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\qajckrgmbjp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yslogxwmldtroemodumgz.exe"	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\qajckrgmbjp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcsshvreapcxrejiui.exe"	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\namitdvewhqhxg = "lcsshvreapcxrejiui.exe"	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qeroaleohtdvmwy = "lcsshvreapcxrejiui.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\qajckrgmbjp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcuwndbqofurncjkyofy.exe"	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\namitdvewhqhxg = "vkywjvpauhsldoro.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qajckrgmbjp = "lcsshvreapcxrejiui.exe"	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\namitdvewhqhxg = "jcuwndbqofurncjkyofy.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cshguhcojxjdwimkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wofgwliwtjxtociivka.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkywjvpauhsldoro = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yslogxwmldtroemodumgz.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\namitdvewhqhxg = "jcuwndbqofurncjkyofy.exe"	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qeroaleohtdvmwy = "yslogxwmldtroemodumgz.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\qajckrgmbjp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkywjvpauhsldoro.exe"	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\namitdvewhqhxg = "jcuwndbqofurncjkyofy.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qajckrgmbjp = "jcuwndbqofurncjkyofy.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkywjvpauhsldoro = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkywjvpauhsldoro.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cshguhcojxjdwimkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcuwndbqofurncjkyofy.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cshguhcojxjdwimkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yslogxwmldtroemodumgz.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyicltjqgpwl = "cshguhcojxjdwimkv.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nyicltjqgpwl = "cshguhcojxjdwimkv.exe ."	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nyicltjqgpwl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkywjvpauhsldoro.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qeroaleohtdvmwy = "jcuwndbqofurncjkyofy.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkywjvpauhsldoro = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcuwndbqofurncjkyofy.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qeroaleohtdvmwy = "wofgwliwtjxtociivka.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cshguhcojxjdwimkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wofgwliwtjxtociivka.exe"	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\qajckrgmbjp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshguhcojxjdwimkv.exe"	ycfsu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nyicltjqgpwl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vkywjvpauhsldoro.exe ."	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qajckrgmbjp = "jcuwndbqofurncjkyofy.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qeroaleohtdvmwy = "vkywjvpauhsldoro.exe ."	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cshguhcojxjdwimkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jcuwndbqofurncjkyofy.exe"	ycfsu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkywjvpauhsldoro = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wofgwliwtjxtociivka.exe ."	ycfsu.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ycfsu.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ycfsu.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	whatismyipaddress.com
11	www.showmyipaddress.com
3	whatismyip.everdot.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vemelrfkyfkxjolcgmtckcjpdiwdivhm.aek	ycfsu.exe
File opened for modification	C:\Windows\SysWOW64\ayvcytwqtpjlmgsyrmigd.gbe	ycfsu.exe
File created	C:\Windows\SysWOW64\ayvcytwqtpjlmgsyrmigd.gbe	ycfsu.exe
File opened for modification	C:\Windows\SysWOW64\vemelrfkyfkxjolcgmtckcjpdiwdivhm.aek	ycfsu.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ayvcytwqtpjlmgsyrmigd.gbe	ycfsu.exe
File created	C:\Program Files (x86)\ayvcytwqtpjlmgsyrmigd.gbe	ycfsu.exe
File opened for modification	C:\Program Files (x86)\vemelrfkyfkxjolcgmtckcjpdiwdivhm.aek	ycfsu.exe
File created	C:\Program Files (x86)\vemelrfkyfkxjolcgmtckcjpdiwdivhm.aek	ycfsu.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ayvcytwqtpjlmgsyrmigd.gbe	ycfsu.exe
File created	C:\Windows\ayvcytwqtpjlmgsyrmigd.gbe	ycfsu.exe
File opened for modification	C:\Windows\vemelrfkyfkxjolcgmtckcjpdiwdivhm.aek	ycfsu.exe
File created	C:\Windows\vemelrfkyfkxjolcgmtckcjpdiwdivhm.aek	ycfsu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe
2656	ycfsu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	ycfsu.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2656	3040	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe	28
PID 3040 wrote to memory of 2656	3040	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe	28
PID 3040 wrote to memory of 2656	3040	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe	28
PID 3040 wrote to memory of 2656	3040	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe	28
PID 3040 wrote to memory of 2616	3040	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe	29
PID 3040 wrote to memory of 2616	3040	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe	29
PID 3040 wrote to memory of 2616	3040	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe	29
PID 3040 wrote to memory of 2616	3040	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe	29

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ycfsu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ycfsu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ycfsu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ycfsu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe

C:\Users\Admin\AppData\Local\Temp\0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
"C:\Users\Admin\AppData\Local\Temp\0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3040
- C:\Users\Admin\AppData\Local\Temp\ycfsu.exe
  "C:\Users\Admin\AppData\Local\Temp\ycfsu.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2656
- C:\Users\Admin\AppData\Local\Temp\ycfsu.exe
  "C:\Users\Admin\AppData\Local\Temp\ycfsu.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System policy modification
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ayvcytwqtpjlmgsyrmigd.gbe

Filesize
280B

MD5
6532a5c5a64cad73d0a17e9fcfa58465

SHA1
fc68d556a823ae5b1dc787283fb3925b3bab469a

SHA256
f9d1b1fc54b60b2ca10c3de535c0b0d23c76f91ba6dcbb44949722b07c7961a1

SHA512
2c7e5bfe3589ffabc00d55c23298c2fad4fe5b60b4c24d92d5aba007eb90d2bbb569a5b241811f1b4734d716c44cc88ee70c691ef3bd231d0c0bcbf8e7954b50

Download Submit
C:\Program Files (x86)\ayvcytwqtpjlmgsyrmigd.gbe

Filesize
280B

MD5
9a794a962c98072a98ee20efb1a4649a

SHA1
44f19bf46c6775221ecd8a29dc5bcbe147c38c69

SHA256
1c6ce18dec5943a29ccfe96e19d40b508effd3f16e16d7fa5ac91928ad188d5e

SHA512
11fd0392fdb494ce3172f641967b3787c32a62e43e694a563304157e16a070d729a37b94dfe07c18f86c4f18fbb80585ad36da8ddb2dce07198066e6c2b7664e

Download Submit
C:\Program Files (x86)\ayvcytwqtpjlmgsyrmigd.gbe

Filesize
280B

MD5
97fb8fa2bfdbf9b293bc5fd6876b3493

SHA1
707df9c75223e50442395ac0401f67b2ba22d28b

SHA256
658501e08ec8a8873754c3c0a12040cb273ac81b8cf88de8fd367028738b449a

SHA512
26e7f7e14184ed653967f7d0f3afe99f8853d0c437121880075f0dba24c875d3ab340ab84344c884c610e6f8d36a2dc3040792a0dc4ddab67d93c0e2c4c34495

Download Submit
C:\Program Files (x86)\ayvcytwqtpjlmgsyrmigd.gbe

Filesize
280B

MD5
2d6b529f5a6055363860a359ea856732

SHA1
2d829b25dbdd91b0b0430a173a53ebc18c774cce

SHA256
cfc6e05d4de430fa933aa391ec08df6d29992e7d845c9c689ddeb4e27dae0bb6

SHA512
8560a05430ca7b6e67fe05d8ef75385ae4ec3344dfaf3e814d5bcbfb515900a41a67ac975e85b86237c20796ea2e17381eed52e27182f717b153ed7dd0626f72

Download Submit
C:\Program Files (x86)\ayvcytwqtpjlmgsyrmigd.gbe

Filesize
280B

MD5
a8417ba717697af156c4812587374cce

SHA1
e6c76d1d40e2f44d56b4f6ce0f10ea7abebfd7b4

SHA256
10155ff151e5176a27678b9abcbdd9d15712162df0c69a49619a548a70480733

SHA512
26a5cf28ca2310f5df6b4b78f63da80f862368f3033f0b4235821267d333c8271d6754e2c83f33113281440d1a9aff30d0d63adfe67d105f06f00d23b563d9f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycfsu.exe

Filesize
4.1MB

MD5
068f4bb0ca8c61cc6ab137b32a99ad28

SHA1
799899b4f82cda09b14799100933456d5bd28357

SHA256
9aff48b1e7a2c10a2fd2d79f455ebf713722a46277bf2eb25edf0e09b8b076d4

SHA512
aee07ed7fa958d028b58e2a8ce7daaba526ba95c54bffedb87d89d607feb62425c0460c93898eefca2924256ffd68184446e9a01dd2170f84980b3d02f40aaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycfsu.exe

Filesize
4.1MB

MD5
068f4bb0ca8c61cc6ab137b32a99ad28

SHA1
799899b4f82cda09b14799100933456d5bd28357

SHA256
9aff48b1e7a2c10a2fd2d79f455ebf713722a46277bf2eb25edf0e09b8b076d4

SHA512
aee07ed7fa958d028b58e2a8ce7daaba526ba95c54bffedb87d89d607feb62425c0460c93898eefca2924256ffd68184446e9a01dd2170f84980b3d02f40aaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycfsu.exe

Filesize
4.1MB

MD5
068f4bb0ca8c61cc6ab137b32a99ad28

SHA1
799899b4f82cda09b14799100933456d5bd28357

SHA256
9aff48b1e7a2c10a2fd2d79f455ebf713722a46277bf2eb25edf0e09b8b076d4

SHA512
aee07ed7fa958d028b58e2a8ce7daaba526ba95c54bffedb87d89d607feb62425c0460c93898eefca2924256ffd68184446e9a01dd2170f84980b3d02f40aaa7

Download Submit
C:\Users\Admin\AppData\Local\ayvcytwqtpjlmgsyrmigd.gbe

Filesize
280B

MD5
7b70651dd1bcdc4e694deaaad5428864

SHA1
9577698b82d61cbfc287bcef85b2dfe7466c29a0

SHA256
b6701c717df60b3daa09906a93b37372a4acd8d6f90af0baf3f402f8b9f5b3f8

SHA512
589c016adaad487b00257fb8247d1bcc488176a800c3c973737db4f518497d0838127ee44e2c1da1ff282bddbbf80b7f30b0c1f3a9ea08e02bf5ab3e4c878cca

Download Submit
C:\Users\Admin\AppData\Local\ayvcytwqtpjlmgsyrmigd.gbe

Filesize
280B

MD5
73d00f3f0fb319350a1710190ddc8189

SHA1
b8d0a6a2ab9d6b0d959952c596d48c50c8d7157c

SHA256
ee29cf02cb1dc5a62483b7748ebfa5599822fa73ec4987bb1257544af52924c5

SHA512
0e611e102e720da4ba510902a8e4223ac60a62f83f451f69f47201b58889376950fa81d89975d495e82a068f0367831fad7cf012b1407a548899c595331cab14

Download Submit
C:\Users\Admin\AppData\Local\ayvcytwqtpjlmgsyrmigd.gbe

Filesize
280B

MD5
f8003fbd5552165d409600280c16cb08

SHA1
c74682c84453cf8146c09da9d22ede9ddfbafd5c

SHA256
5c80fe022f90cb2d923bebe4207e850218d266af1ecba8123297c2b7cae5a6d5

SHA512
1d5e92fb12ae1a9ada317dd748251e28f758aed3e67d75b16f17973341381022fb1f30897501f15441765a1e096d515bdeb722dc45ff91abdc9631f2facc83ff

Download Submit
C:\Users\Admin\AppData\Local\vemelrfkyfkxjolcgmtckcjpdiwdivhm.aek

Filesize
4KB

MD5
4969e7009f6399c79e44ca216a9f265b

SHA1
802504f5beba1696382156a7acf94f13325356eb

SHA256
086dcaa01e49cac432da6ade05fcd441c1b0393f45341481ac2be1de85a214a3

SHA512
3fa311d61cba97f4bec146116777d0f127ba5a4b3ad9161f78f64c1e724bb1daeab0ba652c32941235684a3641b5bc5cda270995f0dc83c44240ce12af544fbe

Download Submit
\Users\Admin\AppData\Local\Temp\ycfsu.exe

Filesize
4.1MB

MD5
068f4bb0ca8c61cc6ab137b32a99ad28

SHA1
799899b4f82cda09b14799100933456d5bd28357

SHA256
9aff48b1e7a2c10a2fd2d79f455ebf713722a46277bf2eb25edf0e09b8b076d4

SHA512
aee07ed7fa958d028b58e2a8ce7daaba526ba95c54bffedb87d89d607feb62425c0460c93898eefca2924256ffd68184446e9a01dd2170f84980b3d02f40aaa7

Download Submit
\Users\Admin\AppData\Local\Temp\ycfsu.exe

Filesize
4.1MB

MD5
068f4bb0ca8c61cc6ab137b32a99ad28

SHA1
799899b4f82cda09b14799100933456d5bd28357

SHA256
9aff48b1e7a2c10a2fd2d79f455ebf713722a46277bf2eb25edf0e09b8b076d4

SHA512
aee07ed7fa958d028b58e2a8ce7daaba526ba95c54bffedb87d89d607feb62425c0460c93898eefca2924256ffd68184446e9a01dd2170f84980b3d02f40aaa7

Download Submit
\Users\Admin\AppData\Local\Temp\ycfsu.exe

Filesize
4.1MB

MD5
068f4bb0ca8c61cc6ab137b32a99ad28

SHA1
799899b4f82cda09b14799100933456d5bd28357

SHA256
9aff48b1e7a2c10a2fd2d79f455ebf713722a46277bf2eb25edf0e09b8b076d4

SHA512
aee07ed7fa958d028b58e2a8ce7daaba526ba95c54bffedb87d89d607feb62425c0460c93898eefca2924256ffd68184446e9a01dd2170f84980b3d02f40aaa7

Download Submit
\Users\Admin\AppData\Local\Temp\ycfsu.exe

Filesize
4.1MB

MD5
068f4bb0ca8c61cc6ab137b32a99ad28

SHA1
799899b4f82cda09b14799100933456d5bd28357

SHA256
9aff48b1e7a2c10a2fd2d79f455ebf713722a46277bf2eb25edf0e09b8b076d4

SHA512
aee07ed7fa958d028b58e2a8ce7daaba526ba95c54bffedb87d89d607feb62425c0460c93898eefca2924256ffd68184446e9a01dd2170f84980b3d02f40aaa7

Download Submit