43ba4dd4ff8aed7cbdc459c220164a7ed4af302cd8c21ca3415346128aa4ad1c

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02df1f1a3cddaaba320be4c7a7dd7071.exe
Size

1016KB
MD5

02df1f1a3cddaaba320be4c7a7dd7071
SHA1

4b9a7ca107ec2e34d6b62c1ebfa0ee06747d4b4a
SHA256

43ba4dd4ff8aed7cbdc459c220164a7ed4af302cd8c21ca3415346128aa4ad1c
SHA512

66b1cf49765a899e13950c9b6a62b6a8ec6e6eb2c0d5cce5779789e0c379980d09c503d9fbf39785a7b8dad5fa554bd46dd73adf07bee49b443edeabd432404f
SSDEEP

6144:AIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:AIXsgtvm1De5YlOx6lzBH46Umu1q

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	qnssgssfaxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	qnssgssfaxc.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	qnssgssfaxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	qnssgssfaxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	qnssgssfaxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	qnssgssfaxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	qnssgssfaxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	timtvfp.exe

Adds policy Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timtvfp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqdtexqdrkzblqja.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timtvfp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giztifctlibhvebwfbce.exe"	timtvfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	qnssgssfaxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skrbgtgnvi = "zymdpjdrgaqtekewc.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timtvfp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iixpcxshxsjnzgbubv.exe"	qnssgssfaxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skrbgtgnvi = "giztifctlibhvebwfbce.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timtvfp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vyqlbzxpigahwgeakhjme.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timtvfp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tukdrnjzqmejweaucxx.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skrbgtgnvi = "tukdrnjzqmejweaucxx.exe"	qnssgssfaxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	qnssgssfaxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timtvfp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymdpjdrgaqtekewc.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timtvfp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tukdrnjzqmejweaucxx.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timtvfp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iixpcxshxsjnzgbubv.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timtvfp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymdpjdrgaqtekewc.exe"	qnssgssfaxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skrbgtgnvi = "zymdpjdrgaqtekewc.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timtvfp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iixpcxshxsjnzgbubv.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skrbgtgnvi = "vyqlbzxpigahwgeakhjme.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timtvfp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vyqlbzxpigahwgeakhjme.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skrbgtgnvi = "tukdrnjzqmejweaucxx.exe"	qnssgssfaxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timtvfp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymdpjdrgaqtekewc.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skrbgtgnvi = "tukdrnjzqmejweaucxx.exe"	timtvfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skrbgtgnvi = "tukdrnjzqmejweaucxx.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skrbgtgnvi = "iixpcxshxsjnzgbubv.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timtvfp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giztifctlibhvebwfbce.exe"	timtvfp.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	qnssgssfaxc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	timtvfp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	timtvfp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	qnssgssfaxc.exe

Executes dropped EXE 4 IoCs

pid	Process
2184	qnssgssfaxc.exe
2732	timtvfp.exe
2600	timtvfp.exe
1644	qnssgssfaxc.exe

Loads dropped DLL 8 IoCs

pid	Process
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2184	qnssgssfaxc.exe
2184	qnssgssfaxc.exe
2184	qnssgssfaxc.exe
2184	qnssgssfaxc.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqwfjvhnu = "iixpcxshxsjnzgbubv.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\ngozfthpymw = "vyqlbzxpigahwgeakhjme.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqwfjvhnu = "tukdrnjzqmejweaucxx.exe ."	qnssgssfaxc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zqwfjvhnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqdtexqdrkzblqja.exe ."	qnssgssfaxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jeobjzpzkamls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymdpjdrgaqtekewc.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iydlozkp = "zymdpjdrgaqtekewc.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jeobjzpzkamls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giztifctlibhvebwfbce.exe ."	qnssgssfaxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kgrfofwhtkxxfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymdpjdrgaqtekewc.exe"	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\iydlozkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymdpjdrgaqtekewc.exe"	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\ngozfthpymw = "sqdtexqdrkzblqja.exe"	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\iydlozkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vyqlbzxpigahwgeakhjme.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kgrfofwhtkxxfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giztifctlibhvebwfbce.exe"	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zqwfjvhnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iixpcxshxsjnzgbubv.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kenzgvktdsdb = "giztifctlibhvebwfbce.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iydlozkp = "vyqlbzxpigahwgeakhjme.exe"	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\iydlozkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tukdrnjzqmejweaucxx.exe"	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\iydlozkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giztifctlibhvebwfbce.exe"	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\ngozfthpymw = "iixpcxshxsjnzgbubv.exe"	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kenzgvktdsdb = "giztifctlibhvebwfbce.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqwfjvhnu = "sqdtexqdrkzblqja.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kenzgvktdsdb = "sqdtexqdrkzblqja.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqwfjvhnu = "giztifctlibhvebwfbce.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\ngozfthpymw = "tukdrnjzqmejweaucxx.exe"	qnssgssfaxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jeobjzpzkamls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tukdrnjzqmejweaucxx.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iydlozkp = "sqdtexqdrkzblqja.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jeobjzpzkamls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymdpjdrgaqtekewc.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\ngozfthpymw = "zymdpjdrgaqtekewc.exe"	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\ngozfthpymw = "zymdpjdrgaqtekewc.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jeobjzpzkamls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqdtexqdrkzblqja.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\ngozfthpymw = "vyqlbzxpigahwgeakhjme.exe"	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\iydlozkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymdpjdrgaqtekewc.exe"	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kenzgvktdsdb = "tukdrnjzqmejweaucxx.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jeobjzpzkamls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giztifctlibhvebwfbce.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kgrfofwhtkxxfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iixpcxshxsjnzgbubv.exe"	qnssgssfaxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iydlozkp = "zymdpjdrgaqtekewc.exe"	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\iydlozkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqdtexqdrkzblqja.exe"	qnssgssfaxc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\iydlozkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vyqlbzxpigahwgeakhjme.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iydlozkp = "giztifctlibhvebwfbce.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iydlozkp = "iixpcxshxsjnzgbubv.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kgrfofwhtkxxfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vyqlbzxpigahwgeakhjme.exe"	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zqwfjvhnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tukdrnjzqmejweaucxx.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kgrfofwhtkxxfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tukdrnjzqmejweaucxx.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jeobjzpzkamls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iixpcxshxsjnzgbubv.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jeobjzpzkamls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tukdrnjzqmejweaucxx.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iydlozkp = "vyqlbzxpigahwgeakhjme.exe"	qnssgssfaxc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\iydlozkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tukdrnjzqmejweaucxx.exe"	qnssgssfaxc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zqwfjvhnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymdpjdrgaqtekewc.exe ."	qnssgssfaxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqwfjvhnu = "iixpcxshxsjnzgbubv.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\ngozfthpymw = "sqdtexqdrkzblqja.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqwfjvhnu = "vyqlbzxpigahwgeakhjme.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\iydlozkp = "tukdrnjzqmejweaucxx.exe"	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kgrfofwhtkxxfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqdtexqdrkzblqja.exe"	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\ngozfthpymw = "tukdrnjzqmejweaucxx.exe"	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kenzgvktdsdb = "tukdrnjzqmejweaucxx.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqwfjvhnu = "zymdpjdrgaqtekewc.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kenzgvktdsdb = "sqdtexqdrkzblqja.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqwfjvhnu = "tukdrnjzqmejweaucxx.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kgrfofwhtkxxfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vyqlbzxpigahwgeakhjme.exe"	qnssgssfaxc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\ngozfthpymw = "zymdpjdrgaqtekewc.exe"	qnssgssfaxc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zqwfjvhnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymdpjdrgaqtekewc.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\iydlozkp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iixpcxshxsjnzgbubv.exe"	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zqwfjvhnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vyqlbzxpigahwgeakhjme.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\kenzgvktdsdb = "zymdpjdrgaqtekewc.exe ."	timtvfp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zqwfjvhnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\giztifctlibhvebwfbce.exe ."	timtvfp.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	qnssgssfaxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	timtvfp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	timtvfp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	qnssgssfaxc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	qnssgssfaxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	qnssgssfaxc.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	whatismyipaddress.com
4	whatismyip.everdot.org
5	www.showmyipaddress.com

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	timtvfp.exe
File created	C:\autorun.inf	timtvfp.exe
File opened for modification	F:\autorun.inf	timtvfp.exe
File created	F:\autorun.inf	timtvfp.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vyqlbzxpigahwgeakhjme.exe	timtvfp.exe
File opened for modification	C:\Windows\SysWOW64\mqjfwvunhgbjzkjgrpswpl.exe	timtvfp.exe
File opened for modification	C:\Windows\SysWOW64\tukdrnjzqmejweaucxx.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\SysWOW64\sqdtexqdrkzblqja.exe	timtvfp.exe
File opened for modification	C:\Windows\SysWOW64\sqdtexqdrkzblqja.exe	timtvfp.exe
File opened for modification	C:\Windows\SysWOW64\iixpcxshxsjnzgbubv.exe	timtvfp.exe
File opened for modification	C:\Windows\SysWOW64\sqdtexqdrkzblqja.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\SysWOW64\sqdtexqdrkzblqja.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\SysWOW64\giztifctlibhvebwfbce.exe	timtvfp.exe
File opened for modification	C:\Windows\SysWOW64\tukdrnjzqmejweaucxx.exe	timtvfp.exe
File opened for modification	C:\Windows\SysWOW64\mqjfwvunhgbjzkjgrpswpl.exe	timtvfp.exe
File created	C:\Windows\SysWOW64\xgefbfjhgkkxsimoehpywxt.bzy	timtvfp.exe
File opened for modification	C:\Windows\SysWOW64\vyqlbzxpigahwgeakhjme.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\SysWOW64\iixpcxshxsjnzgbubv.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\SysWOW64\giztifctlibhvebwfbce.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\SysWOW64\kenzgvktdsdbhixklzsmvhodsblaljpqfs.hau	timtvfp.exe
File created	C:\Windows\SysWOW64\kenzgvktdsdbhixklzsmvhodsblaljpqfs.hau	timtvfp.exe
File opened for modification	C:\Windows\SysWOW64\mqjfwvunhgbjzkjgrpswpl.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\SysWOW64\tukdrnjzqmejweaucxx.exe	timtvfp.exe
File opened for modification	C:\Windows\SysWOW64\zymdpjdrgaqtekewc.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\SysWOW64\tukdrnjzqmejweaucxx.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\SysWOW64\zymdpjdrgaqtekewc.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\SysWOW64\vyqlbzxpigahwgeakhjme.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\SysWOW64\vyqlbzxpigahwgeakhjme.exe	timtvfp.exe
File opened for modification	C:\Windows\SysWOW64\xgefbfjhgkkxsimoehpywxt.bzy	timtvfp.exe
File opened for modification	C:\Windows\SysWOW64\iixpcxshxsjnzgbubv.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\SysWOW64\mqjfwvunhgbjzkjgrpswpl.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\SysWOW64\zymdpjdrgaqtekewc.exe	timtvfp.exe
File opened for modification	C:\Windows\SysWOW64\iixpcxshxsjnzgbubv.exe	timtvfp.exe
File opened for modification	C:\Windows\SysWOW64\zymdpjdrgaqtekewc.exe	timtvfp.exe
File opened for modification	C:\Windows\SysWOW64\giztifctlibhvebwfbce.exe	timtvfp.exe
File opened for modification	C:\Windows\SysWOW64\giztifctlibhvebwfbce.exe	qnssgssfaxc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\xgefbfjhgkkxsimoehpywxt.bzy	timtvfp.exe
File created	C:\Program Files (x86)\xgefbfjhgkkxsimoehpywxt.bzy	timtvfp.exe
File opened for modification	C:\Program Files (x86)\kenzgvktdsdbhixklzsmvhodsblaljpqfs.hau	timtvfp.exe
File created	C:\Program Files (x86)\kenzgvktdsdbhixklzsmvhodsblaljpqfs.hau	timtvfp.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tukdrnjzqmejweaucxx.exe	timtvfp.exe
File opened for modification	C:\Windows\mqjfwvunhgbjzkjgrpswpl.exe	timtvfp.exe
File opened for modification	C:\Windows\iixpcxshxsjnzgbubv.exe	timtvfp.exe
File opened for modification	C:\Windows\iixpcxshxsjnzgbubv.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\giztifctlibhvebwfbce.exe	timtvfp.exe
File opened for modification	C:\Windows\tukdrnjzqmejweaucxx.exe	timtvfp.exe
File opened for modification	C:\Windows\vyqlbzxpigahwgeakhjme.exe	timtvfp.exe
File opened for modification	C:\Windows\kenzgvktdsdbhixklzsmvhodsblaljpqfs.hau	timtvfp.exe
File opened for modification	C:\Windows\iixpcxshxsjnzgbubv.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\mqjfwvunhgbjzkjgrpswpl.exe	timtvfp.exe
File created	C:\Windows\kenzgvktdsdbhixklzsmvhodsblaljpqfs.hau	timtvfp.exe
File opened for modification	C:\Windows\giztifctlibhvebwfbce.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\zymdpjdrgaqtekewc.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\sqdtexqdrkzblqja.exe	timtvfp.exe
File opened for modification	C:\Windows\sqdtexqdrkzblqja.exe	timtvfp.exe
File opened for modification	C:\Windows\giztifctlibhvebwfbce.exe	timtvfp.exe
File created	C:\Windows\xgefbfjhgkkxsimoehpywxt.bzy	timtvfp.exe
File opened for modification	C:\Windows\zymdpjdrgaqtekewc.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\mqjfwvunhgbjzkjgrpswpl.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\mqjfwvunhgbjzkjgrpswpl.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\vyqlbzxpigahwgeakhjme.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\zymdpjdrgaqtekewc.exe	timtvfp.exe
File opened for modification	C:\Windows\iixpcxshxsjnzgbubv.exe	timtvfp.exe
File opened for modification	C:\Windows\sqdtexqdrkzblqja.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\giztifctlibhvebwfbce.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\xgefbfjhgkkxsimoehpywxt.bzy	timtvfp.exe
File opened for modification	C:\Windows\zymdpjdrgaqtekewc.exe	timtvfp.exe
File opened for modification	C:\Windows\tukdrnjzqmejweaucxx.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\vyqlbzxpigahwgeakhjme.exe	timtvfp.exe
File opened for modification	C:\Windows\tukdrnjzqmejweaucxx.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\vyqlbzxpigahwgeakhjme.exe	qnssgssfaxc.exe
File opened for modification	C:\Windows\sqdtexqdrkzblqja.exe	qnssgssfaxc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2732	timtvfp.exe
2732	timtvfp.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2732	timtvfp.exe
2732	timtvfp.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2732	timtvfp.exe
2732	timtvfp.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2732	timtvfp.exe
2732	timtvfp.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2732	timtvfp.exe
2732	timtvfp.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2732	timtvfp.exe
2732	timtvfp.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2732	timtvfp.exe
2732	timtvfp.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2732	timtvfp.exe
2732	timtvfp.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2732	timtvfp.exe
2732	timtvfp.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2732	timtvfp.exe
2732	timtvfp.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2732	timtvfp.exe
2732	timtvfp.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe
2732	timtvfp.exe
2732	timtvfp.exe
2256	02df1f1a3cddaaba320be4c7a7dd7071.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	timtvfp.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2184	2256	02df1f1a3cddaaba320be4c7a7dd7071.exe	24
PID 2256 wrote to memory of 2184	2256	02df1f1a3cddaaba320be4c7a7dd7071.exe	24
PID 2256 wrote to memory of 2184	2256	02df1f1a3cddaaba320be4c7a7dd7071.exe	24
PID 2256 wrote to memory of 2184	2256	02df1f1a3cddaaba320be4c7a7dd7071.exe	24
PID 2184 wrote to memory of 2732	2184	qnssgssfaxc.exe	30
PID 2184 wrote to memory of 2732	2184	qnssgssfaxc.exe	30
PID 2184 wrote to memory of 2732	2184	qnssgssfaxc.exe	30
PID 2184 wrote to memory of 2732	2184	qnssgssfaxc.exe	30
PID 2184 wrote to memory of 2600	2184	qnssgssfaxc.exe	29
PID 2184 wrote to memory of 2600	2184	qnssgssfaxc.exe	29
PID 2184 wrote to memory of 2600	2184	qnssgssfaxc.exe	29
PID 2184 wrote to memory of 2600	2184	qnssgssfaxc.exe	29
PID 2256 wrote to memory of 1644	2256	02df1f1a3cddaaba320be4c7a7dd7071.exe	33
PID 2256 wrote to memory of 1644	2256	02df1f1a3cddaaba320be4c7a7dd7071.exe	33
PID 2256 wrote to memory of 1644	2256	02df1f1a3cddaaba320be4c7a7dd7071.exe	33
PID 2256 wrote to memory of 1644	2256	02df1f1a3cddaaba320be4c7a7dd7071.exe	33

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	timtvfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	timtvfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	qnssgssfaxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	qnssgssfaxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	qnssgssfaxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	qnssgssfaxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	qnssgssfaxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	qnssgssfaxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	qnssgssfaxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	timtvfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	qnssgssfaxc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	qnssgssfaxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	qnssgssfaxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	timtvfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	qnssgssfaxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	qnssgssfaxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	qnssgssfaxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	timtvfp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	qnssgssfaxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	qnssgssfaxc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	timtvfp.exe

C:\Users\Admin\AppData\Local\Temp\02df1f1a3cddaaba320be4c7a7dd7071.exe
"C:\Users\Admin\AppData\Local\Temp\02df1f1a3cddaaba320be4c7a7dd7071.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\qnssgssfaxc.exe
  "C:\Users\Admin\AppData\Local\Temp\qnssgssfaxc.exe" "c:\users\admin\appdata\local\temp\02df1f1a3cddaaba320be4c7a7dd7071.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\timtvfp.exe
    "C:\Users\Admin\AppData\Local\Temp\timtvfp.exe" "-C:\Users\Admin\AppData\Local\Temp\sqdtexqdrkzblqja.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2600
- - C:\Users\Admin\AppData\Local\Temp\timtvfp.exe
    "C:\Users\Admin\AppData\Local\Temp\timtvfp.exe" "-C:\Users\Admin\AppData\Local\Temp\sqdtexqdrkzblqja.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2732
- C:\Users\Admin\AppData\Local\Temp\qnssgssfaxc.exe
  "C:\Users\Admin\AppData\Local\Temp\qnssgssfaxc.exe" "c:\users\admin\appdata\local\temp\02df1f1a3cddaaba320be4c7a7dd7071.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\xgefbfjhgkkxsimoehpywxt.bzy

Filesize
280B

MD5
71015f9c29456945f9ed1af0bb78c242

SHA1
88c37ecee44ed218f789a93b089d4ba6a370f596

SHA256
05e42def02ad5062eb9c04d2fb0dfee57836bbc895962e9080eae07a72235bed

SHA512
675e195af4d1781a25e1038a681319b0d5e63b468210c511acc437d8ae0d80bee287a6fd0575889a35fb193d51cbfb53c431eef97abef298305fbe56862ed60d

Download Submit
C:\Program Files (x86)\xgefbfjhgkkxsimoehpywxt.bzy

Filesize
280B

MD5
84c078a70cbf13bca1f2e59cc0019234

SHA1
5eed44e8becab837b58de0da7aa3d5918db56710

SHA256
130c74b7a5a6f6b70177b33dff3e57263e9af814df6caf58fb623ca293bbf137

SHA512
05a4d8016536683d3e44c36649cf69975fd933fa675b7ca10daf0ff81cac6ee55bd6248063f0b03f877dc95767126c1b66c2e79afa2ada2bd06c1fcbe67753d0

Download Submit
C:\Windows\sqdtexqdrkzblqja.exe

Filesize
96KB

MD5
03f592abf9023c1297760ee4b9363088

SHA1
7a72160bededf790ed2ce1a8072eddea23314d98

SHA256
d7036534ec897a0aac4eeb55419b90554dd7ad97410a094013b8c933d983bf65

SHA512
64a6239686761087e897ac2a2ef510cf48bcca4f8043168b392d916087901f9699e336886a9fc6ab43da0f667dc3a5463b09549970b9c88205d2aa40c60d1f06

Download Submit
C:\Windows\zymdpjdrgaqtekewc.exe

Filesize
92KB

MD5
93e508d09da05e91c08425ef6ad8f5dc

SHA1
23fc42b818a05fc6e70cb85ba650f994c32ab71a

SHA256
98fd34fb8b163c494996a6977124377ba668b3aa7f3bedcc10ee627e3c8cacef

SHA512
a7544c88c016df40ee44872c27e2e5ffc2d3da27f0c95fefe306b6d2d6d946b0154b04ecee2b9292b1ce5c6c5f4f3bb2ed2ea13e08e5d46f6c6ce83563cee68a

Download Submit
\Users\Admin\AppData\Local\Temp\qnssgssfaxc.exe

Filesize
92KB

MD5
36df8034e4c2ef26cb0bb57fb173d845

SHA1
4b4321fd94bf28e477fdfcd91dbe8059e4198dfe

SHA256
b26153efd84fc78393f18c8187e755e38f098fe967394cf02b3970b6382dfd7d

SHA512
4036dc26cda6222d1604eeb4166a0913f938a7bf78ce77ba0f563ae636fa0ff0289da90270a733365f873561f90a3589f9ea6cc00eeb7fbaee23c98cd42830cf

Download Submit
\Users\Admin\AppData\Local\Temp\qnssgssfaxc.exe

Filesize
320KB

MD5
1f9f07b99a639e1ec8f5fe336e2545e2

SHA1
fcaba30051a9929dd8db1182c52c8f6cfb62d772

SHA256
ab32c6bf3f0d38a123223bff546de42a7d54c22b4e56ea4a89cd20a819c65bf2

SHA512
da3534a530dd33e2fe93823759ac7bff5f5cb154baa744622e7cb30dd52e99f63585b2ca10a64703aa77c9b29acebc1bd00c23fccfa8af8156f9fbe42b3110a3

Download Submit
\Users\Admin\AppData\Local\Temp\qnssgssfaxc.exe

Filesize
54KB

MD5
ebfb3c9258db977125f18aedd2200f2b

SHA1
d9528b531fffbece9f42d1ff6ba5126992d68a6a

SHA256
d46f380c0cf57f9fb82b24ef3772bf6bd5388fbb114d8b867c902e327cf58862

SHA512
090195f7ea7bed6534ad8b99fd982ca7df445b6ea9f9fa320b8fbe5c57033c68716a44ff00c6e0c028cb4eec06719a4b4d6b742b0bf75e209670f94f21f7110c

Download Submit
\Users\Admin\AppData\Local\Temp\timtvfp.exe

Filesize
124KB

MD5
3e043ab67a51fe3c9a40b75c1ce841dd

SHA1
30005bb665587fc114ca1fadf20eaa00b620f576

SHA256
5217f94c1308a2812d6e68bd91782aca1d7e347cab3b9736e012448e6bf1127e

SHA512
840b2cfc865398d9e5d8578a22cd85a1a1c2866dd8f2437c9d8056c5eec776713a961e9af01a09dfd8f1240809317dcc146bd3e89d5c23d765b1579eaf052dc2

Download Submit
\Users\Admin\AppData\Local\Temp\timtvfp.exe

Filesize
92KB

MD5
27af30fef6c3d05511e8bfd1b6cdd174

SHA1
d409dfa5ad1588abec4e659c6143d6bffca40e43

SHA256
bde696dfc1156c0e2673fc194ea6cbdc8c011206e69893582820b22fadf2173a

SHA512
0c888fb1a1c9ceefb59da9b2b3079e518f316a1d24d3b731e42d2ee372cc85f8d7ec1695da287ce5eb1df9e068cf7ad1da838f62f4d0ab6343c28e0a26b9edea

Download Submit