0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc

Analysis

max time kernel
175s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Size

2.9MB
MD5

26ee73bbb953a8cad4eb15508ee2fa71
SHA1

12c5f6a6f74d1828ef954b8251f511bf683f0bd5
SHA256

0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc
SHA512

d75fbcfbc3a728ef3fa4588f12a2c31e5fd8fedde1911aadc5398566b202001d8b827b8152c280c9686ae025f482454e9c76245e4175901e605c1316a740095e
SSDEEP

12288:zXgvmzFHi0mo5aH0qMzd5807FLPJQPDHvd:zXgvOHi0mGaH0qSdPFt4V

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	jushgo.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jushgo.exe

Adds policy Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgjdhukoyok = "vqyxgytcrmngbzne.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyypqano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqyxgytcrmngbzne.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyypqano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wufhtomyqosomneythf.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgjdhukoyok = "listeyvgxuxsppfysf.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgjdhukoyok = "wufhtomyqosomneythf.exe"	jushgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyypqano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jiuxkgfslkpmlnfawlkw.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgjdhukoyok = "wufhtomyqosomneythf.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyypqano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\listeyvgxuxsppfysf.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgjdhukoyok = "vqyxgytcrmngbzne.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyypqano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yylpdaaoiiommpiebrrei.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgjdhukoyok = "vqyxgytcrmngbzne.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyypqano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqyxgytcrmngbzne.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgjdhukoyok = "jiuxkgfslkpmlnfawlkw.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyypqano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyhhrkgqgceyutiat.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgjdhukoyok = "yylpdaaoiiommpiebrrei.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgjdhukoyok = "jiuxkgfslkpmlnfawlkw.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyypqano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyhhrkgqgceyutiat.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgjdhukoyok = "yylpdaaoiiommpiebrrei.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgjdhukoyok = "cyhhrkgqgceyutiat.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyypqano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jiuxkgfslkpmlnfawlkw.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyypqano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\listeyvgxuxsppfysf.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyypqano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wufhtomyqosomneythf.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgjdhukoyok = "listeyvgxuxsppfysf.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyypqano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\listeyvgxuxsppfysf.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgjdhukoyok = "cyhhrkgqgceyutiat.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qgjdhukoyok = "jiuxkgfslkpmlnfawlkw.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lyypqano = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyhhrkgqgceyutiat.exe"	jushgo.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jushgo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jushgo.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe

Executes dropped EXE 2 IoCs

pid	Process
4896	jushgo.exe
2528	jushgo.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mejflasykcaqi = "yylpdaaoiiommpiebrrei.exe ."	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vkmfiujmvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqyxgytcrmngbzne.exe ."	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qkrpxoiqeyyqkhu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqyxgytcrmngbzne.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qkrpxoiqeyyqkhu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yylpdaaoiiommpiebrrei.exe"	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vkmfiujmvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jiuxkgfslkpmlnfawlkw.exe ."	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mejflasykcaqi = "cyhhrkgqgceyutiat.exe ."	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qkrpxoiqeyyqkhu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yylpdaaoiiommpiebrrei.exe"	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neidiwnsdurg = "jiuxkgfslkpmlnfawlkw.exe"	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neidiwnsdurg = "listeyvgxuxsppfysf.exe"	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cqrjlwkmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyhhrkgqgceyutiat.exe"	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cqrjlwkmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqyxgytcrmngbzne.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cqrjlwkmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yylpdaaoiiommpiebrrei.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkmfiujmvk = "yylpdaaoiiommpiebrrei.exe ."	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cqrjlwkmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jiuxkgfslkpmlnfawlkw.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngmjqgzgtmlcvr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\listeyvgxuxsppfysf.exe ."	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cqrjlwkmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqyxgytcrmngbzne.exe"	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neidiwnsdurg = "wufhtomyqosomneythf.exe"	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vkmfiujmvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yylpdaaoiiommpiebrrei.exe ."	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mejflasykcaqi = "jiuxkgfslkpmlnfawlkw.exe ."	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cqrjlwkmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wufhtomyqosomneythf.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cqrjlwkmu = "vqyxgytcrmngbzne.exe"	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mejflasykcaqi = "wufhtomyqosomneythf.exe ."	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkmfiujmvk = "cyhhrkgqgceyutiat.exe ."	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neidiwnsdurg = "yylpdaaoiiommpiebrrei.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cqrjlwkmu = "jiuxkgfslkpmlnfawlkw.exe"	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vkmfiujmvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyhhrkgqgceyutiat.exe ."	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cqrjlwkmu = "yylpdaaoiiommpiebrrei.exe"	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cqrjlwkmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wufhtomyqosomneythf.exe"	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vkmfiujmvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqyxgytcrmngbzne.exe ."	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkmfiujmvk = "listeyvgxuxsppfysf.exe ."	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cqrjlwkmu = "listeyvgxuxsppfysf.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngmjqgzgtmlcvr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wufhtomyqosomneythf.exe ."	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neidiwnsdurg = "jiuxkgfslkpmlnfawlkw.exe"	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mejflasykcaqi = "jiuxkgfslkpmlnfawlkw.exe ."	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngmjqgzgtmlcvr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yylpdaaoiiommpiebrrei.exe ."	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cqrjlwkmu = "listeyvgxuxsppfysf.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cqrjlwkmu = "vqyxgytcrmngbzne.exe"	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mejflasykcaqi = "yylpdaaoiiommpiebrrei.exe ."	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkmfiujmvk = "cyhhrkgqgceyutiat.exe ."	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mejflasykcaqi = "yylpdaaoiiommpiebrrei.exe ."	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mejflasykcaqi = "listeyvgxuxsppfysf.exe ."	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qkrpxoiqeyyqkhu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqyxgytcrmngbzne.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mejflasykcaqi = "cyhhrkgqgceyutiat.exe ."	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vkmfiujmvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yylpdaaoiiommpiebrrei.exe ."	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vkmfiujmvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wufhtomyqosomneythf.exe ."	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkmfiujmvk = "listeyvgxuxsppfysf.exe ."	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngmjqgzgtmlcvr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wufhtomyqosomneythf.exe ."	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cqrjlwkmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\listeyvgxuxsppfysf.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkmfiujmvk = "vqyxgytcrmngbzne.exe ."	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngmjqgzgtmlcvr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyhhrkgqgceyutiat.exe ."	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkmfiujmvk = "vqyxgytcrmngbzne.exe ."	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cqrjlwkmu = "wufhtomyqosomneythf.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vkmfiujmvk = "wufhtomyqosomneythf.exe ."	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neidiwnsdurg = "cyhhrkgqgceyutiat.exe"	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neidiwnsdurg = "vqyxgytcrmngbzne.exe"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngmjqgzgtmlcvr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqyxgytcrmngbzne.exe ."	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mejflasykcaqi = "vqyxgytcrmngbzne.exe ."	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qkrpxoiqeyyqkhu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vqyxgytcrmngbzne.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngmjqgzgtmlcvr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jiuxkgfslkpmlnfawlkw.exe ."	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mejflasykcaqi = "listeyvgxuxsppfysf.exe ."	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neidiwnsdurg = "yylpdaaoiiommpiebrrei.exe"	jushgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cqrjlwkmu = "wufhtomyqosomneythf.exe"	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vkmfiujmvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jiuxkgfslkpmlnfawlkw.exe ."	jushgo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vkmfiujmvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\listeyvgxuxsppfysf.exe ."	jushgo.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jushgo.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jushgo.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jushgo.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
53	whatismyip.everdot.org
55	www.showmyipaddress.com
68	whatismyip.everdot.org
46	whatismyipaddress.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\agzjdgmggmycirqsvrxqaux.xxd	jushgo.exe
File opened for modification	C:\Windows\SysWOW64\neidiwnsdurgxrbocjaezesjozqnctnxky.wav	jushgo.exe
File created	C:\Windows\SysWOW64\neidiwnsdurgxrbocjaezesjozqnctnxky.wav	jushgo.exe
File opened for modification	C:\Windows\SysWOW64\agzjdgmggmycirqsvrxqaux.xxd	jushgo.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\agzjdgmggmycirqsvrxqaux.xxd	jushgo.exe
File created	C:\Program Files (x86)\agzjdgmggmycirqsvrxqaux.xxd	jushgo.exe
File opened for modification	C:\Program Files (x86)\neidiwnsdurgxrbocjaezesjozqnctnxky.wav	jushgo.exe
File created	C:\Program Files (x86)\neidiwnsdurgxrbocjaezesjozqnctnxky.wav	jushgo.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\agzjdgmggmycirqsvrxqaux.xxd	jushgo.exe
File created	C:\Windows\agzjdgmggmycirqsvrxqaux.xxd	jushgo.exe
File opened for modification	C:\Windows\neidiwnsdurgxrbocjaezesjozqnctnxky.wav	jushgo.exe
File created	C:\Windows\neidiwnsdurgxrbocjaezesjozqnctnxky.wav	jushgo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\Local Settings	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\Local Settings	jushgo.exe
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000_Classes\Local Settings	jushgo.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4896	jushgo.exe
4896	jushgo.exe
4896	jushgo.exe
4896	jushgo.exe
4896	jushgo.exe
4896	jushgo.exe
4896	jushgo.exe
4896	jushgo.exe
4896	jushgo.exe
4896	jushgo.exe
4896	jushgo.exe
4896	jushgo.exe
4896	jushgo.exe
4896	jushgo.exe
4896	jushgo.exe
4896	jushgo.exe
4896	jushgo.exe
4896	jushgo.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2528	jushgo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4896	jushgo.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 4896	2508	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe	92
PID 2508 wrote to memory of 4896	2508	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe	92
PID 2508 wrote to memory of 4896	2508	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe	92
PID 2508 wrote to memory of 2528	2508	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe	93
PID 2508 wrote to memory of 2528	2508	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe	93
PID 2508 wrote to memory of 2528	2508	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe	93

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jushgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	jushgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jushgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	jushgo.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	jushgo.exe

C:\Users\Admin\AppData\Local\Temp\0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe
"C:\Users\Admin\AppData\Local\Temp\0708543fc8ed191deec43666172008379fcfa03a1729be27befa9e8f2289b6cc.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2508
- C:\Users\Admin\AppData\Local\Temp\jushgo.exe
  "C:\Users\Admin\AppData\Local\Temp\jushgo.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:4896
- C:\Users\Admin\AppData\Local\Temp\jushgo.exe
  "C:\Users\Admin\AppData\Local\Temp\jushgo.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - System policy modification
  PID:2528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\agzjdgmggmycirqsvrxqaux.xxd

Filesize
280B

MD5
1d2f7606264228f959200dd56bdbc5e6

SHA1
c07dbcaccd8fcae06670e330a4e3fc7bfed89f4f

SHA256
9f13af7f6dee2778b4f18fbb754afaf464cbc0d9abfc2497b22b24e31b6a6afb

SHA512
1020c7547db99f487c92f15cba23c14982c6fa1f9a241c2df0686b13a98e438d25d03dcd104c9a79fdaac8134166fe3a52eb40adc5a6668795fdcb0494760d27

Download Submit
C:\Program Files (x86)\agzjdgmggmycirqsvrxqaux.xxd

Filesize
280B

MD5
4c4dff45b600ef5e503e45413208ff3a

SHA1
4e58c4b04451e32c446ab5af53738c14cfe69d49

SHA256
1c32a475f9fa676e24ce9e1b6215a01bf7fa3f2d855808360826192080cad3d0

SHA512
12485bd0e80b23f37a1cdd33b68635a22cbfd8e45b97160022c7ca7e789fb68c31bc833788e209e53113d53304c36280c53cceeed2f2b01d951a5761be6d4871

Download Submit
C:\Program Files (x86)\agzjdgmggmycirqsvrxqaux.xxd

Filesize
280B

MD5
acbd875a17d2b9cc1b6a28e3576bd480

SHA1
b9ecc34909a6d0c55385fa3c0b6eae22236d6cb9

SHA256
89f8b64e2adee053d7c1696f4797dec2a7b66c9dfef87a788e11831502f614f1

SHA512
c030259f6d8eaaeff879d89a588e12da50783de07a37f962b0e996b693620a54eae8d9fe10418bf23eeccd1f2b042e6bd9f09e669d4034829daaa8e1a7c27cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jushgo.exe

Filesize
4.1MB

MD5
dbfdcc0a7d5abbea8edd9572a42b5659

SHA1
5325bc242e534e0b9bd8cfa262764b12dd8212f5

SHA256
9465bd22c87cedaa47e1aaecb1c9baf7c8849f349227f9b57b6b9fbba0eece4a

SHA512
d917f24d35a3e27bf6f7edeb51ca23860acab9ba4b3c7613c3c8c5a13bd1c40ade3a3f1737a2d6955872eba9e2017b5965b44908c321e177a6e17a942d7362f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jushgo.exe

Filesize
4.1MB

MD5
dbfdcc0a7d5abbea8edd9572a42b5659

SHA1
5325bc242e534e0b9bd8cfa262764b12dd8212f5

SHA256
9465bd22c87cedaa47e1aaecb1c9baf7c8849f349227f9b57b6b9fbba0eece4a

SHA512
d917f24d35a3e27bf6f7edeb51ca23860acab9ba4b3c7613c3c8c5a13bd1c40ade3a3f1737a2d6955872eba9e2017b5965b44908c321e177a6e17a942d7362f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jushgo.exe

Filesize
4.1MB

MD5
dbfdcc0a7d5abbea8edd9572a42b5659

SHA1
5325bc242e534e0b9bd8cfa262764b12dd8212f5

SHA256
9465bd22c87cedaa47e1aaecb1c9baf7c8849f349227f9b57b6b9fbba0eece4a

SHA512
d917f24d35a3e27bf6f7edeb51ca23860acab9ba4b3c7613c3c8c5a13bd1c40ade3a3f1737a2d6955872eba9e2017b5965b44908c321e177a6e17a942d7362f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jushgo.exe

Filesize
4.1MB

MD5
dbfdcc0a7d5abbea8edd9572a42b5659

SHA1
5325bc242e534e0b9bd8cfa262764b12dd8212f5

SHA256
9465bd22c87cedaa47e1aaecb1c9baf7c8849f349227f9b57b6b9fbba0eece4a

SHA512
d917f24d35a3e27bf6f7edeb51ca23860acab9ba4b3c7613c3c8c5a13bd1c40ade3a3f1737a2d6955872eba9e2017b5965b44908c321e177a6e17a942d7362f8

Download Submit
C:\Users\Admin\AppData\Local\agzjdgmggmycirqsvrxqaux.xxd

Filesize
280B

MD5
848c8c4c39fe822364ec391e4b69b853

SHA1
b7649d5a7027b7a46067f82221b8c3f9ae98e7ac

SHA256
e368ab1fea154e20a4474d6075ecad4b23d5aa593387eb51876500bf71459007

SHA512
2765dc7c5773936db809440a4466e100419bfba06efd8f421e0301e7e82bbd3a2f8996b8b2f39c72e2265244021d3be7ef0338ab8f64b2f3e8c7831410d689ca

Download Submit
C:\Users\Admin\AppData\Local\neidiwnsdurgxrbocjaezesjozqnctnxky.wav

Filesize
4KB

MD5
b7a03d3ad52e4b55710c92f9b618b198

SHA1
32599fc879aced9f917b920fc569aa1681df8d4c

SHA256
92194bde0dea5ce6deaf3a6a9c620ffd8f060107c89b9630c4f4179cfae1a693

SHA512
8ea15d14d1cdf8f75662ff70b3e71c931bbf64b92866d159e9efbdb6658e24334f8ed1beff86c38b914dc7a584fec48233401968519a1543cda0c579b40a109c

Download Submit