43ba4dd4ff8aed7cbdc459c220164a7ed4af302cd8c21ca3415346128aa4ad1c

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02df1f1a3cddaaba320be4c7a7dd7071.exe
Size

1016KB
MD5

02df1f1a3cddaaba320be4c7a7dd7071
SHA1

4b9a7ca107ec2e34d6b62c1ebfa0ee06747d4b4a
SHA256

43ba4dd4ff8aed7cbdc459c220164a7ed4af302cd8c21ca3415346128aa4ad1c
SHA512

66b1cf49765a899e13950c9b6a62b6a8ec6e6eb2c0d5cce5779789e0c379980d09c503d9fbf39785a7b8dad5fa554bd46dd73adf07bee49b443edeabd432404f
SSDEEP

6144:AIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUmDa1is0f:AIXsgtvm1De5YlOx6lzBH46Umu1q

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ocgvrnimymq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ocgvrnimymq.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ocgvrnimymq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ocgvrnimymq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ocgvrnimymq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ocgvrnimymq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ocgvrnimymq.exe

Adds policy Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttidypeypkcykhlpsex.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihvpjzngwqhcnjmprc.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gtvdlp = "ttidypeypkcykhlpsex.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttidypeypkcykhlpsex.exe"	vhipw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ocgvrnimymq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gtvdlp = "ihvpjzngwqhcnjmprc.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ghxtphxskgzwjhmrvicd.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihvpjzngwqhcnjmprc.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihvpjzngwqhcnjmprc.exe"	ocgvrnimymq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vxolibsoheywkjpvaojlc.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gtvdlp = "zxkdwlyqfyoisnprs.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxkdwlyqfyoisnprs.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gtvdlp = "vxolibsoheywkjpvaojlc.exe"	ocgvrnimymq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gtvdlp = "ttidypeypkcykhlpsex.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vxolibsoheywkjpvaojlc.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gtvdlp = "spbtlzlcqixqztuv.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gtvdlp = "vxolibsoheywkjpvaojlc.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gtvdlp = "ihvpjzngwqhcnjmprc.exe"	vhipw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gtvdlp = "ghxtphxskgzwjhmrvicd.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gtvdlp = "spbtlzlcqixqztuv.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gtvdlp = "vxolibsoheywkjpvaojlc.exe"	vhipw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gtvdlp = "zxkdwlyqfyoisnprs.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ghxtphxskgzwjhmrvicd.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gtvdlp = "ghxtphxskgzwjhmrvicd.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gtvdlp = "ttidypeypkcykhlpsex.exe"	ocgvrnimymq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fpo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttidypeypkcykhlpsex.exe"	ocgvrnimymq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ocgvrnimymq.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ocgvrnimymq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ocgvrnimymq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vhipw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vhipw.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	02df1f1a3cddaaba320be4c7a7dd7071.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	ocgvrnimymq.exe

Executes dropped EXE 4 IoCs

pid	Process
1600	ocgvrnimymq.exe
2344	vhipw.exe
5116	vhipw.exe
2264	ocgvrnimymq.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mxxd = "ttidypeypkcykhlpsex.exe"	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxxd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ghxtphxskgzwjhmrvicd.exe"	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhipw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ghxtphxskgzwjhmrvicd.exe ."	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zpufqxcmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxkdwlyqfyoisnprs.exe ."	ocgvrnimymq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sjpbnvbmug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihvpjzngwqhcnjmprc.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sjpbnvbmug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttidypeypkcykhlpsex.exe"	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thktchk = "ttidypeypkcykhlpsex.exe"	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ixblvbfo = "ghxtphxskgzwjhmrvicd.exe ."	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxxd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vxolibsoheywkjpvaojlc.exe"	ocgvrnimymq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxxd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vxolibsoheywkjpvaojlc.exe"	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ixblvbfo = "ihvpjzngwqhcnjmprc.exe ."	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhipw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ghxtphxskgzwjhmrvicd.exe ."	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thktchk = "vxolibsoheywkjpvaojlc.exe"	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhipw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spbtlzlcqixqztuv.exe ."	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhipw = "ihvpjzngwqhcnjmprc.exe ."	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhipw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxkdwlyqfyoisnprs.exe ."	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxxd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spbtlzlcqixqztuv.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhipw = "ghxtphxskgzwjhmrvicd.exe ."	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sjpbnvbmug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihvpjzngwqhcnjmprc.exe"	ocgvrnimymq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zpufqxcmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxkdwlyqfyoisnprs.exe ."	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhipw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vxolibsoheywkjpvaojlc.exe ."	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhipw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihvpjzngwqhcnjmprc.exe ."	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhipw = "ttidypeypkcykhlpsex.exe ."	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhipw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttidypeypkcykhlpsex.exe ."	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mxxd = "ttidypeypkcykhlpsex.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sjpbnvbmug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vxolibsoheywkjpvaojlc.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sjpbnvbmug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vxolibsoheywkjpvaojlc.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sjpbnvbmug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxkdwlyqfyoisnprs.exe"	ocgvrnimymq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxxd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxkdwlyqfyoisnprs.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zpufqxcmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vxolibsoheywkjpvaojlc.exe ."	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sjpbnvbmug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxkdwlyqfyoisnprs.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zpufqxcmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ghxtphxskgzwjhmrvicd.exe ."	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxxd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihvpjzngwqhcnjmprc.exe"	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ixblvbfo = "spbtlzlcqixqztuv.exe ."	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhipw = "ttidypeypkcykhlpsex.exe ."	ocgvrnimymq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mxxd = "spbtlzlcqixqztuv.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhipw = "spbtlzlcqixqztuv.exe ."	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thktchk = "ihvpjzngwqhcnjmprc.exe"	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ixblvbfo = "zxkdwlyqfyoisnprs.exe ."	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mxxd = "vxolibsoheywkjpvaojlc.exe"	ocgvrnimymq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sjpbnvbmug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spbtlzlcqixqztuv.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zpufqxcmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihvpjzngwqhcnjmprc.exe ."	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxxd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vxolibsoheywkjpvaojlc.exe"	ocgvrnimymq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxxd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttidypeypkcykhlpsex.exe"	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxxd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vxolibsoheywkjpvaojlc.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mxxd = "ihvpjzngwqhcnjmprc.exe"	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxxd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spbtlzlcqixqztuv.exe"	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhipw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ghxtphxskgzwjhmrvicd.exe ."	ocgvrnimymq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhipw = "vxolibsoheywkjpvaojlc.exe ."	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zpufqxcmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxkdwlyqfyoisnprs.exe ."	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zpufqxcmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spbtlzlcqixqztuv.exe ."	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhipw = "ghxtphxskgzwjhmrvicd.exe ."	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mxxd = "ghxtphxskgzwjhmrvicd.exe"	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thktchk = "zxkdwlyqfyoisnprs.exe"	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thktchk = "zxkdwlyqfyoisnprs.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mxxd = "spbtlzlcqixqztuv.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mxxd = "vxolibsoheywkjpvaojlc.exe"	ocgvrnimymq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thktchk = "ghxtphxskgzwjhmrvicd.exe"	ocgvrnimymq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mxxd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihvpjzngwqhcnjmprc.exe"	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thktchk = "ihvpjzngwqhcnjmprc.exe"	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sjpbnvbmug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihvpjzngwqhcnjmprc.exe"	vhipw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ixblvbfo = "vxolibsoheywkjpvaojlc.exe ."	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zpufqxcmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ghxtphxskgzwjhmrvicd.exe ."	vhipw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhipw = "spbtlzlcqixqztuv.exe ."	vhipw.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ocgvrnimymq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ocgvrnimymq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ocgvrnimymq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ocgvrnimymq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhipw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhipw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vhipw.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	whatismyip.everdot.org
24	whatismyip.everdot.org
28	www.showmyipaddress.com
34	whatismyip.everdot.org
35	whatismyipaddress.com

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	vhipw.exe
File created	C:\autorun.inf	vhipw.exe
File opened for modification	F:\autorun.inf	vhipw.exe
File created	F:\autorun.inf	vhipw.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\spbtlzlcqixqztuv.exe	vhipw.exe
File opened for modification	C:\Windows\SysWOW64\zxkdwlyqfyoisnprs.exe	vhipw.exe
File opened for modification	C:\Windows\SysWOW64\spbtlzlcqixqztuv.exe	vhipw.exe
File opened for modification	C:\Windows\SysWOW64\ihvpjzngwqhcnjmprc.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\SysWOW64\zxkdwlyqfyoisnprs.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\SysWOW64\ttidypeypkcykhlpsex.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\SysWOW64\mphfdxpmgezynnubhwsvnl.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\SysWOW64\ihvpjzngwqhcnjmprc.exe	vhipw.exe
File opened for modification	C:\Windows\SysWOW64\ghxtphxskgzwjhmrvicd.exe	vhipw.exe
File opened for modification	C:\Windows\SysWOW64\ttidypeypkcykhlpsex.exe	vhipw.exe
File opened for modification	C:\Windows\SysWOW64\spbtlzlcqixqztuv.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\SysWOW64\ghxtphxskgzwjhmrvicd.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\SysWOW64\ttidypeypkcykhlpsex.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\SysWOW64\mphfdxpmgezynnubhwsvnl.exe	vhipw.exe
File opened for modification	C:\Windows\SysWOW64\zxkdwlyqfyoisnprs.exe	vhipw.exe
File opened for modification	C:\Windows\SysWOW64\vxolibsoheywkjpvaojlc.exe	vhipw.exe
File created	C:\Windows\SysWOW64\vhipwzagjqucajzpechtubilmsv.gom	vhipw.exe
File opened for modification	C:\Windows\SysWOW64\ttidypeypkcykhlpsex.exe	vhipw.exe
File opened for modification	C:\Windows\SysWOW64\spbtlzlcqixqztuvveurdvnbneskzsbvwxxgwt.xpd	vhipw.exe
File created	C:\Windows\SysWOW64\spbtlzlcqixqztuvveurdvnbneskzsbvwxxgwt.xpd	vhipw.exe
File opened for modification	C:\Windows\SysWOW64\vxolibsoheywkjpvaojlc.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\SysWOW64\vhipwzagjqucajzpechtubilmsv.gom	vhipw.exe
File opened for modification	C:\Windows\SysWOW64\mphfdxpmgezynnubhwsvnl.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\SysWOW64\mphfdxpmgezynnubhwsvnl.exe	vhipw.exe
File opened for modification	C:\Windows\SysWOW64\zxkdwlyqfyoisnprs.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\SysWOW64\spbtlzlcqixqztuv.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\SysWOW64\ghxtphxskgzwjhmrvicd.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\SysWOW64\vxolibsoheywkjpvaojlc.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\SysWOW64\vxolibsoheywkjpvaojlc.exe	vhipw.exe
File opened for modification	C:\Windows\SysWOW64\ihvpjzngwqhcnjmprc.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\SysWOW64\ihvpjzngwqhcnjmprc.exe	vhipw.exe
File opened for modification	C:\Windows\SysWOW64\ghxtphxskgzwjhmrvicd.exe	vhipw.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\vhipwzagjqucajzpechtubilmsv.gom	vhipw.exe
File created	C:\Program Files (x86)\vhipwzagjqucajzpechtubilmsv.gom	vhipw.exe
File opened for modification	C:\Program Files (x86)\spbtlzlcqixqztuvveurdvnbneskzsbvwxxgwt.xpd	vhipw.exe
File created	C:\Program Files (x86)\spbtlzlcqixqztuvveurdvnbneskzsbvwxxgwt.xpd	vhipw.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ihvpjzngwqhcnjmprc.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\vxolibsoheywkjpvaojlc.exe	vhipw.exe
File opened for modification	C:\Windows\ihvpjzngwqhcnjmprc.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\spbtlzlcqixqztuv.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\ttidypeypkcykhlpsex.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\mphfdxpmgezynnubhwsvnl.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\ghxtphxskgzwjhmrvicd.exe	vhipw.exe
File opened for modification	C:\Windows\vxolibsoheywkjpvaojlc.exe	vhipw.exe
File opened for modification	C:\Windows\vhipwzagjqucajzpechtubilmsv.gom	vhipw.exe
File opened for modification	C:\Windows\vxolibsoheywkjpvaojlc.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\vxolibsoheywkjpvaojlc.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\spbtlzlcqixqztuv.exe	vhipw.exe
File opened for modification	C:\Windows\mphfdxpmgezynnubhwsvnl.exe	vhipw.exe
File opened for modification	C:\Windows\zxkdwlyqfyoisnprs.exe	vhipw.exe
File created	C:\Windows\vhipwzagjqucajzpechtubilmsv.gom	vhipw.exe
File created	C:\Windows\spbtlzlcqixqztuvveurdvnbneskzsbvwxxgwt.xpd	vhipw.exe
File opened for modification	C:\Windows\mphfdxpmgezynnubhwsvnl.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\ihvpjzngwqhcnjmprc.exe	vhipw.exe
File opened for modification	C:\Windows\ttidypeypkcykhlpsex.exe	vhipw.exe
File opened for modification	C:\Windows\spbtlzlcqixqztuv.exe	vhipw.exe
File opened for modification	C:\Windows\ihvpjzngwqhcnjmprc.exe	vhipw.exe
File opened for modification	C:\Windows\ttidypeypkcykhlpsex.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\mphfdxpmgezynnubhwsvnl.exe	vhipw.exe
File opened for modification	C:\Windows\zxkdwlyqfyoisnprs.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\ghxtphxskgzwjhmrvicd.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\ghxtphxskgzwjhmrvicd.exe	vhipw.exe
File opened for modification	C:\Windows\spbtlzlcqixqztuvveurdvnbneskzsbvwxxgwt.xpd	vhipw.exe
File opened for modification	C:\Windows\spbtlzlcqixqztuv.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\zxkdwlyqfyoisnprs.exe	vhipw.exe
File opened for modification	C:\Windows\ttidypeypkcykhlpsex.exe	vhipw.exe
File opened for modification	C:\Windows\ghxtphxskgzwjhmrvicd.exe	ocgvrnimymq.exe
File opened for modification	C:\Windows\zxkdwlyqfyoisnprs.exe	ocgvrnimymq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
2344	vhipw.exe
2344	vhipw.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
2344	vhipw.exe
2344	vhipw.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe
880	02df1f1a3cddaaba320be4c7a7dd7071.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	vhipw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 1600	880	02df1f1a3cddaaba320be4c7a7dd7071.exe	48
PID 880 wrote to memory of 1600	880	02df1f1a3cddaaba320be4c7a7dd7071.exe	48
PID 880 wrote to memory of 1600	880	02df1f1a3cddaaba320be4c7a7dd7071.exe	48
PID 1600 wrote to memory of 2344	1600	ocgvrnimymq.exe	91
PID 1600 wrote to memory of 2344	1600	ocgvrnimymq.exe	91
PID 1600 wrote to memory of 2344	1600	ocgvrnimymq.exe	91
PID 1600 wrote to memory of 5116	1600	ocgvrnimymq.exe	92
PID 1600 wrote to memory of 5116	1600	ocgvrnimymq.exe	92
PID 1600 wrote to memory of 5116	1600	ocgvrnimymq.exe	92
PID 880 wrote to memory of 2264	880	02df1f1a3cddaaba320be4c7a7dd7071.exe	110
PID 880 wrote to memory of 2264	880	02df1f1a3cddaaba320be4c7a7dd7071.exe	110
PID 880 wrote to memory of 2264	880	02df1f1a3cddaaba320be4c7a7dd7071.exe	110

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vhipw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vhipw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ocgvrnimymq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ocgvrnimymq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ocgvrnimymq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ocgvrnimymq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ocgvrnimymq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ocgvrnimymq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ocgvrnimymq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ocgvrnimymq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ocgvrnimymq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	vhipw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ocgvrnimymq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ocgvrnimymq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vhipw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ocgvrnimymq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ocgvrnimymq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	vhipw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ocgvrnimymq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ocgvrnimymq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	vhipw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	vhipw.exe

C:\Users\Admin\AppData\Local\Temp\02df1f1a3cddaaba320be4c7a7dd7071.exe
"C:\Users\Admin\AppData\Local\Temp\02df1f1a3cddaaba320be4c7a7dd7071.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\ocgvrnimymq.exe
  "C:\Users\Admin\AppData\Local\Temp\ocgvrnimymq.exe" "c:\users\admin\appdata\local\temp\02df1f1a3cddaaba320be4c7a7dd7071.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1600
- - C:\Users\Admin\AppData\Local\Temp\vhipw.exe
    "C:\Users\Admin\AppData\Local\Temp\vhipw.exe" "-C:\Users\Admin\AppData\Local\Temp\spbtlzlcqixqztuv.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2344
- - C:\Users\Admin\AppData\Local\Temp\vhipw.exe
    "C:\Users\Admin\AppData\Local\Temp\vhipw.exe" "-C:\Users\Admin\AppData\Local\Temp\spbtlzlcqixqztuv.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:5116
- C:\Users\Admin\AppData\Local\Temp\ocgvrnimymq.exe
  "C:\Users\Admin\AppData\Local\Temp\ocgvrnimymq.exe" "c:\users\admin\appdata\local\temp\02df1f1a3cddaaba320be4c7a7dd7071.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\vhipwzagjqucajzpechtubilmsv.gom

Filesize
280B

MD5
0b6b7a1e9202fbd1505edfe2f5a43e8d

SHA1
0d1606475b26b7e919897800b6bfc476ee58e12f

SHA256
b6da647f3d1920a6e783a2463892f1982a791529570a3e92d2c5a72a14c17993

SHA512
f8c252ddd9122e834731e5eca286e414d247f58051fcd3019a03b0d9bb7359ef656dd73ad2e5f104774e85e8c6197e16300e3572996e1c2269609c19dd4ea52f

Download Submit
C:\Program Files (x86)\vhipwzagjqucajzpechtubilmsv.gom

Filesize
280B

MD5
a6864d77e0f4d2a6beb5178d42a75598

SHA1
5bdea92c07949cc042e25a6e21b6a4acd1a03b7d

SHA256
56750f4d93291c334bb86bd58f5e4649a78c26117e5ed1796f2e8c829f41c902

SHA512
0e9093f3c46c362f4154bac73f146ed763359e195dc5d01759ae39c5a8535ef1f1562f4774d901d425d5acd72a3d738733593a5b6161eb6ff2aaa738e72b614d

Download Submit
C:\Program Files (x86)\vhipwzagjqucajzpechtubilmsv.gom

Filesize
280B

MD5
9d1837ba9a716b873572af5e328c93d5

SHA1
1a1ba6a93cd39b03b914762c430b9468523389ff

SHA256
b17615bb6036c7bde159e6517de7043ac3f5aa0d22bcd638baf27c5aec3c637f

SHA512
5edc75f152a70caeb505a60eef9a90cedc2a500d2ee3546dbb0cb833c6d478782c8eb4a2d62fcc87e4d33309c2cd9d69238249b293ac74955c1e8546aa4571fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocgvrnimymq.exe

Filesize
320KB

MD5
d90e7e8a21aeb9e0a9c10ff9891810b3

SHA1
c2fcb61e5320ea3ac87123aa38e4de848bd73534

SHA256
7da5a96b21c061f0b5588240b9d984ea32dd2611acf1d4340b6cb2fe3c943986

SHA512
5fb6b7113805edf1f0f2cde3c78476b2a94154ff57823624e9d517a765166167c755f114a23ced97e60e664dc11b66177db3d02e6892a0c6da37650f18676741

Download Submit
C:\Users\Admin\AppData\Local\Temp\ocgvrnimymq.exe

Filesize
92KB

MD5
ed9fe39e290e0d6200574ca2b2d6d2cf

SHA1
d5f52ebbc4455cc752ccf98b5b4c483a2e2bd876

SHA256
8960af1e36195fa798f76cd9005b526a3f53a22964d79b4c052e9e955d3749d6

SHA512
5b8824c40da83916187831779205aab3ca61ba0eec430a6471a692188f3b9ec4bb5db8949866dbe4b5e9bc0b88b82b405de493d83f52636a9e28c130441dd3b0

Download Submit
C:\Users\Admin\AppData\Local\vhipwzagjqucajzpechtubilmsv.gom

Filesize
280B

MD5
17d996a1aa79b0deb320709844812f2a

SHA1
b48ac032b6332ad3f36cc8efe7704076fafb1910

SHA256
c7c703200f30a0eb07623250e5067a0d68f58cf8d484fa50e06c817e56b8495e

SHA512
4b7a65bf65179ab2bc0546040882dc5402d51cee138eb8386c81382d9ee0bd4443417b0b1a68b129ba5cfe94934c870085e72e28b6de3241f819d144628b4d44

Download Submit
C:\Users\Admin\AppData\Local\vhipwzagjqucajzpechtubilmsv.gom

Filesize
280B

MD5
877e3917352aef03d1c3f1cbab1f6609

SHA1
d76f1a74061d5f9e3c9c824ace4f171045b6715a

SHA256
80f3cb0d6410ae406abd29b5d12161f6b53413268eac6d9bf681f0b976e0e560

SHA512
b5bc985db0f83eaca3f1d7051800e382d403e7bae9c3c260a981625856f1c8638e43e1f03cb716efc62c4131b2339f7d82b0e17441fc8faf871139e3eaf987dc

Download Submit
C:\Windows\SysWOW64\spbtlzlcqixqztuv.exe

Filesize
381KB

MD5
f72e35a5e3cdab0d951f83103f1411f9

SHA1
4a695770f79981bd0d7f172b0e6726b693424b16

SHA256
041147b54d165e9295ec9bc1da16d7ce8d039256e8154bbe66cfadcd042aa704

SHA512
6ea1e4f493feb429fb44f773f9373ae04effa6bf6f988632fdccd8d24557fc97f0f0383eeb85cabd565fea1efb1df6373be7ebce5e4ec58b91e5ba570872e28f

Download Submit
C:\Windows\ihvpjzngwqhcnjmprc.exe

Filesize
1016KB

MD5
02df1f1a3cddaaba320be4c7a7dd7071

SHA1
4b9a7ca107ec2e34d6b62c1ebfa0ee06747d4b4a

SHA256
43ba4dd4ff8aed7cbdc459c220164a7ed4af302cd8c21ca3415346128aa4ad1c

SHA512
66b1cf49765a899e13950c9b6a62b6a8ec6e6eb2c0d5cce5779789e0c379980d09c503d9fbf39785a7b8dad5fa554bd46dd73adf07bee49b443edeabd432404f

Download Submit
C:\Windows\mphfdxpmgezynnubhwsvnl.exe

Filesize
92KB

MD5
93e508d09da05e91c08425ef6ad8f5dc

SHA1
23fc42b818a05fc6e70cb85ba650f994c32ab71a

SHA256
98fd34fb8b163c494996a6977124377ba668b3aa7f3bedcc10ee627e3c8cacef

SHA512
a7544c88c016df40ee44872c27e2e5ffc2d3da27f0c95fefe306b6d2d6d946b0154b04ecee2b9292b1ce5c6c5f4f3bb2ed2ea13e08e5d46f6c6ce83563cee68a

Download Submit
C:\Windows\spbtlzlcqixqztuv.exe

Filesize
832KB

MD5
d883e43ebfa3e68001e39674ed6cc393

SHA1
a285da971a93ade308b4818619909349d146af33

SHA256
5ea2d7aca3c15d699259a16a4622bef5729e9872f8cf32e175fff7460e473505

SHA512
a6682aa477a4f3cd19c37eaae570ceb05b4a461aa44d8ba1563d0b770eba23b2cf198ba42ba6e40268a6aeac290e6cb099da36b0217cb87448b38e5ba970a3a2

Download Submit
C:\Windows\ttidypeypkcykhlpsex.exe

Filesize
96KB

MD5
03f592abf9023c1297760ee4b9363088

SHA1
7a72160bededf790ed2ce1a8072eddea23314d98

SHA256
d7036534ec897a0aac4eeb55419b90554dd7ad97410a094013b8c933d983bf65

SHA512
64a6239686761087e897ac2a2ef510cf48bcca4f8043168b392d916087901f9699e336886a9fc6ab43da0f667dc3a5463b09549970b9c88205d2aa40c60d1f06

Download Submit
C:\Windows\zxkdwlyqfyoisnprs.exe

Filesize
192KB

MD5
be32d9a54d7ae0b2abcb5edd10d9543e

SHA1
ec1aad648c4133b11579fc42a498b57246404cf8

SHA256
e4222f7445235c76b3c57af055a0c003ad7bc0fe5215e54ccd6b20fe7ff9820f

SHA512
657d5cb96e13dcd750451f42fe974c83bfa187f66b99937f871b271e425fc7b1cbce5617a8042adecb51ab0ed76224a9f9131ef7e946adddf68d7c147b874b39

Download Submit