6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba

Analysis

max time kernel
65s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Size

3.2MB
MD5

0743446261cd62ae7d2045f0afe83720
SHA1

445af0099c6c494da6d901fd5d0ef11d5a9d2fdd
SHA256

6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba
SHA512

b790d765eb5257302854ec3d1be5a5c6080d550a8a0c3980cdf96a18b1496b6512e191b212b73bd318d009b25bb8032ee4bbe1f0bf47560c48b61971c56a52d2
SSDEEP

6144:n3ue8ySm8hQAAIfFrRXuEE+0l97mKwKUoqHVbV86JQPDHDdx/Qtqa:V/zkFF+EExZmKbUouV5PJQPDHvd

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	nouzjq.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	nouzjq.exe

Adds policy Run key to start application 2 TTPs 21 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qylxocpcsyjcf = "csnhgcxsqexyjitliiqgb.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeoxlwgqdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsjzumduoynkrmtha.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeoxlwgqdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohzwqjcykbajgpfaye.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeoxlwgqdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkapjaqgziwsysyl.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeoxlwgqdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnhgcxsqexyjitliiqgb.exe"	nouzjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qylxocpcsyjcf = "aohzwqjcykbajgpfaye.exe"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeoxlwgqdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsjzumduoynkrmtha.exe"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qylxocpcsyjcf = "zkapjaqgziwsysyl.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qylxocpcsyjcf = "ncwpnicwtgyyigqhdcjy.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeoxlwgqdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsjzumduoynkrmtha.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qylxocpcsyjcf = "pculhaskfqgemiqfzw.exe"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qylxocpcsyjcf = "aohzwqjcykbajgpfaye.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeoxlwgqdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohzwqjcykbajgpfaye.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeoxlwgqdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwpnicwtgyyigqhdcjy.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qylxocpcsyjcf = "aohzwqjcykbajgpfaye.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeoxlwgqdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohzwqjcykbajgpfaye.exe"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeoxlwgqdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pculhaskfqgemiqfzw.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qylxocpcsyjcf = "ncwpnicwtgyyigqhdcjy.exe"	nouzjq.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nouzjq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nouzjq.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe

Executes dropped EXE 2 IoCs

pid	Process
2640	nouzjq.exe
2264	nouzjq.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ualvkwhsgkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pculhaskfqgemiqfzw.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ualvkwhsgkt = "csnhgcxsqexyjitliiqgb.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkapjaqgziwsysyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohzwqjcykbajgpfaye.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ualvkwhsgkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkapjaqgziwsysyl.exe"	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ualvkwhsgkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwpnicwtgyyigqhdcjy.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ualvkwhsgkt = "aohzwqjcykbajgpfaye.exe"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ualvkwhsgkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsjzumduoynkrmtha.exe"	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rykvlykwlqas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pculhaskfqgemiqfzw.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gsjzumduoynkrmtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohzwqjcykbajgpfaye.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkapjaqgziwsysyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pculhaskfqgemiqfzw.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raobtiwkbiuosk = "zkapjaqgziwsysyl.exe"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkapjaqgziwsysyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnhgcxsqexyjitliiqgb.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uethaqfumuhchaf = "ncwpnicwtgyyigqhdcjy.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ualvkwhsgkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnhgcxsqexyjitliiqgb.exe"	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rykvlykwlqas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwpnicwtgyyigqhdcjy.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rykvlykwlqas = "zkapjaqgziwsysyl.exe ."	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gsjzumduoynkrmtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkapjaqgziwsysyl.exe"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uethaqfumuhchaf = "ncwpnicwtgyyigqhdcjy.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gsjzumduoynkrmtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnhgcxsqexyjitliiqgb.exe"	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raobtiwkbiuosk = "ncwpnicwtgyyigqhdcjy.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rykvlykwlqas = "pculhaskfqgemiqfzw.exe ."	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rykvlykwlqas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsjzumduoynkrmtha.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ualvkwhsgkt = "csnhgcxsqexyjitliiqgb.exe"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rykvlykwlqas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkapjaqgziwsysyl.exe ."	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rykvlykwlqas = "gsjzumduoynkrmtha.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkapjaqgziwsysyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwpnicwtgyyigqhdcjy.exe ."	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uethaqfumuhchaf = "gsjzumduoynkrmtha.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rykvlykwlqas = "aohzwqjcykbajgpfaye.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raobtiwkbiuosk = "zkapjaqgziwsysyl.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gsjzumduoynkrmtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsjzumduoynkrmtha.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gsjzumduoynkrmtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohzwqjcykbajgpfaye.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rykvlykwlqas = "aohzwqjcykbajgpfaye.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raobtiwkbiuosk = "gsjzumduoynkrmtha.exe"	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raobtiwkbiuosk = "pculhaskfqgemiqfzw.exe"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ualvkwhsgkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pculhaskfqgemiqfzw.exe"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rykvlykwlqas = "ncwpnicwtgyyigqhdcjy.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ualvkwhsgkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnhgcxsqexyjitliiqgb.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ualvkwhsgkt = "ncwpnicwtgyyigqhdcjy.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ualvkwhsgkt = "pculhaskfqgemiqfzw.exe"	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uethaqfumuhchaf = "aohzwqjcykbajgpfaye.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ualvkwhsgkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pculhaskfqgemiqfzw.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ualvkwhsgkt = "aohzwqjcykbajgpfaye.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rykvlykwlqas = "csnhgcxsqexyjitliiqgb.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uethaqfumuhchaf = "ncwpnicwtgyyigqhdcjy.exe ."	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gsjzumduoynkrmtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pculhaskfqgemiqfzw.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rykvlykwlqas = "gsjzumduoynkrmtha.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkapjaqgziwsysyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkapjaqgziwsysyl.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rykvlykwlqas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkapjaqgziwsysyl.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkapjaqgziwsysyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pculhaskfqgemiqfzw.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ualvkwhsgkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnhgcxsqexyjitliiqgb.exe"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rykvlykwlqas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnhgcxsqexyjitliiqgb.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ualvkwhsgkt = "aohzwqjcykbajgpfaye.exe"	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rykvlykwlqas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnhgcxsqexyjitliiqgb.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ualvkwhsgkt = "ncwpnicwtgyyigqhdcjy.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rykvlykwlqas = "zkapjaqgziwsysyl.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raobtiwkbiuosk = "gsjzumduoynkrmtha.exe"	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raobtiwkbiuosk = "aohzwqjcykbajgpfaye.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkapjaqgziwsysyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnhgcxsqexyjitliiqgb.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gsjzumduoynkrmtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwpnicwtgyyigqhdcjy.exe"	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\raobtiwkbiuosk = "csnhgcxsqexyjitliiqgb.exe"	nouzjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkapjaqgziwsysyl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkapjaqgziwsysyl.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ualvkwhsgkt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohzwqjcykbajgpfaye.exe"	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uethaqfumuhchaf = "zkapjaqgziwsysyl.exe ."	nouzjq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rykvlykwlqas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohzwqjcykbajgpfaye.exe ."	nouzjq.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nouzjq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nouzjq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	nouzjq.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	whatismyipaddress.com
27	www.showmyipaddress.com
31	whatismyip.everdot.org
38	whatismyip.everdot.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\eabbgijkoihofkbzciwstty.bcg	nouzjq.exe
File created	C:\Windows\SysWOW64\eabbgijkoihofkbzciwstty.bcg	nouzjq.exe
File opened for modification	C:\Windows\SysWOW64\rykvlykwlqasukmvjazgsdtgsetyiacsud.iho	nouzjq.exe
File created	C:\Windows\SysWOW64\rykvlykwlqasukmvjazgsdtgsetyiacsud.iho	nouzjq.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\eabbgijkoihofkbzciwstty.bcg	nouzjq.exe
File created	C:\Program Files (x86)\eabbgijkoihofkbzciwstty.bcg	nouzjq.exe
File opened for modification	C:\Program Files (x86)\rykvlykwlqasukmvjazgsdtgsetyiacsud.iho	nouzjq.exe
File created	C:\Program Files (x86)\rykvlykwlqasukmvjazgsdtgsetyiacsud.iho	nouzjq.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\eabbgijkoihofkbzciwstty.bcg	nouzjq.exe
File opened for modification	C:\Windows\rykvlykwlqasukmvjazgsdtgsetyiacsud.iho	nouzjq.exe
File created	C:\Windows\rykvlykwlqasukmvjazgsdtgsetyiacsud.iho	nouzjq.exe
File opened for modification	C:\Windows\eabbgijkoihofkbzciwstty.bcg	nouzjq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	nouzjq.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	nouzjq.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2640	nouzjq.exe
2640	nouzjq.exe
2640	nouzjq.exe
2640	nouzjq.exe
2640	nouzjq.exe
2640	nouzjq.exe
2640	nouzjq.exe
2640	nouzjq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	nouzjq.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 2640	5084	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe	91
PID 5084 wrote to memory of 2640	5084	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe	91
PID 5084 wrote to memory of 2640	5084	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe	91
PID 5084 wrote to memory of 2264	5084	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe	92
PID 5084 wrote to memory of 2264	5084	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe	92
PID 5084 wrote to memory of 2264	5084	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe	92

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	nouzjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	nouzjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	nouzjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	nouzjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	nouzjq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	nouzjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nouzjq.exe

C:\Users\Admin\AppData\Local\Temp\6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe
"C:\Users\Admin\AppData\Local\Temp\6bda5cd4ccf9dba7993a9a10c5f607a2a6cdca3f5d91c6a7017e117ef10cdcba.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5084
- C:\Users\Admin\AppData\Local\Temp\nouzjq.exe
  "C:\Users\Admin\AppData\Local\Temp\nouzjq.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\nouzjq.exe
  "C:\Users\Admin\AppData\Local\Temp\nouzjq.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Modifies registry class
  - System policy modification
  PID:2264

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\eabbgijkoihofkbzciwstty.bcg

Filesize
272B

MD5
1759ae6496855232fe84f647ce3756a9

SHA1
c610e666b323ceb0a551fb9e7bb25ec32d8f43f7

SHA256
c564f55c3f5c4c916dde1a210014c5b6caacf774cdf1757020e74801bfd9375e

SHA512
8a45517fef3bfda028e4e53e5fdbeb2dca31a7393fbbaa51b5718708addbcf26d09ee6f60e2324a902f8e8c67820882a51ecd95c305872fcf18a57caef0350f9

Download Submit
C:\Program Files (x86)\eabbgijkoihofkbzciwstty.bcg

Filesize
272B

MD5
6ce588073f1d3cf87278f9cb93bf94e0

SHA1
85046924cf708adc464c336f43547128eaef494a

SHA256
ec99e7e0de5df12948407f15f02ce9809f38ee75adfbdb69a93aae426e01ac1b

SHA512
ed6392dfcbe98a8f5853119042c737833bdcc8159277e9752b49c6939a68eed8e6f9e2ef7d1610489d12e5c6b546e9625eea35e3cb594028928d3e2ad0e893d2

Download Submit
C:\Program Files (x86)\eabbgijkoihofkbzciwstty.bcg

Filesize
272B

MD5
95d348d71fff686408e3c8d22e22b0a1

SHA1
45513e6a912e5aa283b8b493f7c93c8a67ff74a0

SHA256
b18f3800b4d000f881410e211094a7dc9fdcae621d6643cff083860873090956

SHA512
91a8acba33df7011f2a34b84a0b2be1a3250f1702ff7a7b8310e57ae32e3e9c7e63e776774437294787ae30fbb58b6436075e3162fffbdfef81d672baad6b43c

Download Submit
C:\Program Files (x86)\eabbgijkoihofkbzciwstty.bcg

Filesize
272B

MD5
2155163e074dc9f2f6957d0ddfff639e

SHA1
09588dbb158392706d332644b45da6dfdf081439

SHA256
f8157a8b6d42baa0410f579097cdf74df742801f18d03528d750ca1568ccd03e

SHA512
7c72f1c9f4249a65c349a0540eaf16b85d9512c195a1c7eb7c176d7e01303408dc48940229dddf43f2f0fe73c186d94f99e14b8a360a491fd1867f22ad207d67

Download Submit
C:\Program Files (x86)\eabbgijkoihofkbzciwstty.bcg

Filesize
272B

MD5
d274b092657412753a4736505029a9d2

SHA1
0ced03e832c1f4d1da514f63d8361e4e94626df0

SHA256
63bc84d3d01a11f093226a7d58687b96ab09a6655f99a816f862548ef23131e0

SHA512
b21f5b6853c2ab4ccf68cd442b4d3b10302630e420526ff6fb3c86b771741934dafb24b9d4d63b8d11fa76d28d632bd778a7b9baa794aaf8900026be664549ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nouzjq.exe

Filesize
4.4MB

MD5
41d1baaeeebc7cc855bce8af6e83934c

SHA1
3b4352a536b9d60d7c5d3a8423a90adf15c9c721

SHA256
ba4f500cf4e81b674fbda91f7de2ecf24c80ed7b2180b57acebd388809d616b5

SHA512
299374f4f2d66dc26abafb0f8363ee3112b9c734117b6bf11c78785955bd894360d34bd6f9fb93372e4ccf4ab70eaaa83b4b09d3b68a192d9c39a0f6e8bdf99d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nouzjq.exe

Filesize
4.4MB

MD5
41d1baaeeebc7cc855bce8af6e83934c

SHA1
3b4352a536b9d60d7c5d3a8423a90adf15c9c721

SHA256
ba4f500cf4e81b674fbda91f7de2ecf24c80ed7b2180b57acebd388809d616b5

SHA512
299374f4f2d66dc26abafb0f8363ee3112b9c734117b6bf11c78785955bd894360d34bd6f9fb93372e4ccf4ab70eaaa83b4b09d3b68a192d9c39a0f6e8bdf99d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nouzjq.exe

Filesize
4.4MB

MD5
41d1baaeeebc7cc855bce8af6e83934c

SHA1
3b4352a536b9d60d7c5d3a8423a90adf15c9c721

SHA256
ba4f500cf4e81b674fbda91f7de2ecf24c80ed7b2180b57acebd388809d616b5

SHA512
299374f4f2d66dc26abafb0f8363ee3112b9c734117b6bf11c78785955bd894360d34bd6f9fb93372e4ccf4ab70eaaa83b4b09d3b68a192d9c39a0f6e8bdf99d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nouzjq.exe

Filesize
4.4MB

MD5
41d1baaeeebc7cc855bce8af6e83934c

SHA1
3b4352a536b9d60d7c5d3a8423a90adf15c9c721

SHA256
ba4f500cf4e81b674fbda91f7de2ecf24c80ed7b2180b57acebd388809d616b5

SHA512
299374f4f2d66dc26abafb0f8363ee3112b9c734117b6bf11c78785955bd894360d34bd6f9fb93372e4ccf4ab70eaaa83b4b09d3b68a192d9c39a0f6e8bdf99d

Download Submit
C:\Users\Admin\AppData\Local\eabbgijkoihofkbzciwstty.bcg

Filesize
272B

MD5
d0159a243b0d52d3151e2b5f5e8ff014

SHA1
d9a374aa8e6abc23ed533b7e4e3d7b8be258ad77

SHA256
28e1f0b9156e3e40b1852f5bfb73a1fa5a4fe7643fa08a355f1d1a9dc5aed26a

SHA512
e42749f678add9db5fbaa2be179926a40256397950856ff9042f814bd9a95bbac1c9aa11f144c5c47f0b90eb83cf63ef4c093f6f02f19588e1ec0275889f23a5

Download Submit
C:\Users\Admin\AppData\Local\rykvlykwlqasukmvjazgsdtgsetyiacsud.iho

Filesize
3KB

MD5
489e61101bc35513665a35d801b729e0

SHA1
78640e94d23fc2526d3ca59ac80ff0ad460cfc7d

SHA256
813c649fe861dc44056b738908b161c85e04f62469b0a2f56a87d705cfa11454

SHA512
721944bdb9613b557bf5febbe18530ba5d385a9d3f9fc3f60efbca6941fc68f00dc4d7d82a0c9f0c394c086792e0f69d2e7a891b8abf091d47fe8d71812b1c43

Download Submit