dc1b07a52af475827944cf1bdd0c8468fe428e5cece300227ca3c54ebc5e3e65

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b571cd68c97f16598cd6a75f9c68e471.exe
Size

644KB
MD5

b571cd68c97f16598cd6a75f9c68e471
SHA1

e9140a31d28af6033dd9e58f73b2e1891dafda6d
SHA256

dc1b07a52af475827944cf1bdd0c8468fe428e5cece300227ca3c54ebc5e3e65
SHA512

3b348101ca228acb557dc851d4192ea71aad03fc50298e494c464148b8a4170724e297381b92d4f1a6f5d2ad1a9712ba4b7175986e4d965bc6ce46e9119ce53b
SSDEEP

12288:PKr3QboC9qLGKgZKe4HYpHvcbTUT+tLEGz//:PQ3QbiGL8LwH18

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	aqbwfcdvkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	aqbwfcdvkal.exe

UAC bypass 3 TTPs 13 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	dgisq.exe

Adds policy Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\houikwbtg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aobwfykjdyoocekh.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sclchwezpgso = "hwkgqkxxsofgvyfdt.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\houikwbtg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qgvsdymnjgyaqucbsi.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\houikwbtg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwoocarvuupunufhbumma.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sclchwezpgso = "hwkgqkxxsofgvyfdt.exe"	aqbwfcdvkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\houikwbtg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hwkgqkxxsofgvyfdt.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sclchwezpgso = "dwoocarvuupunufhbumma.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sclchwezpgso = "hwkgqkxxsofgvyfdt.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\houikwbtg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsigsodfcatwnsbbtka.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sclchwezpgso = "aobwfykjdyoocekh.exe"	dgisq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\houikwbtg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogxwjgwzxwqumscdwofe.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sclchwezpgso = "bsigsodfcatwnsbbtka.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\houikwbtg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aobwfykjdyoocekh.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\houikwbtg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogxwjgwzxwqumscdwofe.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sclchwezpgso = "dwoocarvuupunufhbumma.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\houikwbtg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwoocarvuupunufhbumma.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sclchwezpgso = "bsigsodfcatwnsbbtka.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sclchwezpgso = "qgvsdymnjgyaqucbsi.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sclchwezpgso = "ogxwjgwzxwqumscdwofe.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sclchwezpgso = "aobwfykjdyoocekh.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\houikwbtg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsigsodfcatwnsbbtka.exe"	aqbwfcdvkal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\houikwbtg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwoocarvuupunufhbumma.exe"	aqbwfcdvkal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aqbwfcdvkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\houikwbtg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qgvsdymnjgyaqucbsi.exe"	dgisq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	aqbwfcdvkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sclchwezpgso = "ogxwjgwzxwqumscdwofe.exe"	aqbwfcdvkal.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dgisq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dgisq.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	b571cd68c97f16598cd6a75f9c68e471.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	aqbwfcdvkal.exe

Executes dropped EXE 4 IoCs

pid	Process
4688	aqbwfcdvkal.exe
4988	dgisq.exe
2764	dgisq.exe
1276	aqbwfcdvkal.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aipehuathw = "qgvsdymnjgyaqucbsi.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aobwfykjdyoocekh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsigsodfcatwnsbbtka.exe"	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcmekajfwobyj = "dwoocarvuupunufhbumma.exe"	aqbwfcdvkal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sepipgqnfymkww = "qgvsdymnjgyaqucbsi.exe ."	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aipehuathw = "dwoocarvuupunufhbumma.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aipehuathw = "bsigsodfcatwnsbbtka.exe"	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aipehuathw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aobwfykjdyoocekh.exe"	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sepipgqnfymkww = "bsigsodfcatwnsbbtka.exe ."	aqbwfcdvkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aobwfykjdyoocekh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aobwfykjdyoocekh.exe"	aqbwfcdvkal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vemcgubvkal = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogxwjgwzxwqumscdwofe.exe ."	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vemcgubvkal = "bsigsodfcatwnsbbtka.exe ."	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aobwfykjdyoocekh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aobwfykjdyoocekh.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viuowozxqkzylmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qgvsdymnjgyaqucbsi.exe ."	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcmekajfwobyj = "aobwfykjdyoocekh.exe"	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sepipgqnfymkww = "ogxwjgwzxwqumscdwofe.exe ."	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sepipgqnfymkww = "bsigsodfcatwnsbbtka.exe ."	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aobwfykjdyoocekh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogxwjgwzxwqumscdwofe.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aipehuathw = "bsigsodfcatwnsbbtka.exe"	aqbwfcdvkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viuowozxqkzylmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aobwfykjdyoocekh.exe ."	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vemcgubvkal = "aobwfykjdyoocekh.exe ."	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vemcgubvkal = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogxwjgwzxwqumscdwofe.exe ."	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vemcgubvkal = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsigsodfcatwnsbbtka.exe ."	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sepipgqnfymkww = "dwoocarvuupunufhbumma.exe ."	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sepipgqnfymkww = "hwkgqkxxsofgvyfdt.exe ."	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aobwfykjdyoocekh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwoocarvuupunufhbumma.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aobwfykjdyoocekh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hwkgqkxxsofgvyfdt.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viuowozxqkzylmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hwkgqkxxsofgvyfdt.exe ."	aqbwfcdvkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viuowozxqkzylmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsigsodfcatwnsbbtka.exe ."	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vemcgubvkal = "aobwfykjdyoocekh.exe ."	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aipehuathw = "dwoocarvuupunufhbumma.exe"	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aipehuathw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aobwfykjdyoocekh.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aipehuathw = "ogxwjgwzxwqumscdwofe.exe"	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcmekajfwobyj = "qgvsdymnjgyaqucbsi.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vemcgubvkal = "dwoocarvuupunufhbumma.exe ."	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aobwfykjdyoocekh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aobwfykjdyoocekh.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aipehuathw = "hwkgqkxxsofgvyfdt.exe"	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sepipgqnfymkww = "aobwfykjdyoocekh.exe ."	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aipehuathw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hwkgqkxxsofgvyfdt.exe"	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vemcgubvkal = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwoocarvuupunufhbumma.exe ."	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcmekajfwobyj = "ogxwjgwzxwqumscdwofe.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aobwfykjdyoocekh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qgvsdymnjgyaqucbsi.exe"	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aipehuathw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwoocarvuupunufhbumma.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aipehuathw = "ogxwjgwzxwqumscdwofe.exe"	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcmekajfwobyj = "bsigsodfcatwnsbbtka.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viuowozxqkzylmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hwkgqkxxsofgvyfdt.exe ."	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vemcgubvkal = "ogxwjgwzxwqumscdwofe.exe ."	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viuowozxqkzylmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hwkgqkxxsofgvyfdt.exe ."	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vemcgubvkal = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aobwfykjdyoocekh.exe ."	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aipehuathw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogxwjgwzxwqumscdwofe.exe"	aqbwfcdvkal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aipehuathw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogxwjgwzxwqumscdwofe.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viuowozxqkzylmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ogxwjgwzxwqumscdwofe.exe ."	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vemcgubvkal = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qgvsdymnjgyaqucbsi.exe ."	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcmekajfwobyj = "hwkgqkxxsofgvyfdt.exe"	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sepipgqnfymkww = "bsigsodfcatwnsbbtka.exe ."	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viuowozxqkzylmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qgvsdymnjgyaqucbsi.exe ."	aqbwfcdvkal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aipehuathw = "qgvsdymnjgyaqucbsi.exe"	aqbwfcdvkal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vemcgubvkal = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aobwfykjdyoocekh.exe ."	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcmekajfwobyj = "dwoocarvuupunufhbumma.exe"	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aipehuathw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bsigsodfcatwnsbbtka.exe"	aqbwfcdvkal.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sepipgqnfymkww = "qgvsdymnjgyaqucbsi.exe ."	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viuowozxqkzylmr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aobwfykjdyoocekh.exe ."	dgisq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcmekajfwobyj = "dwoocarvuupunufhbumma.exe"	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vemcgubvkal = "hwkgqkxxsofgvyfdt.exe ."	dgisq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aipehuathw = "aobwfykjdyoocekh.exe"	dgisq.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aqbwfcdvkal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dgisq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dgisq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aqbwfcdvkal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aqbwfcdvkal.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	www.showmyipaddress.com
65	whatismyip.everdot.org
67	whatismyipaddress.com
76	whatismyip.everdot.org

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	dgisq.exe
File created	F:\autorun.inf	dgisq.exe
File opened for modification	C:\autorun.inf	dgisq.exe
File created	C:\autorun.inf	dgisq.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bsigsodfcatwnsbbtka.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\SysWOW64\ogxwjgwzxwqumscdwofe.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\SysWOW64\ogxwjgwzxwqumscdwofe.exe	dgisq.exe
File opened for modification	C:\Windows\SysWOW64\sclchwezpgsoywyrcmvmrgojzqcyigibmw.wbq	dgisq.exe
File opened for modification	C:\Windows\SysWOW64\dwoocarvuupunufhbumma.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\SysWOW64\uohixwottuqwqyknicvwlk.exe	dgisq.exe
File opened for modification	C:\Windows\SysWOW64\ogxwjgwzxwqumscdwofe.exe	dgisq.exe
File opened for modification	C:\Windows\SysWOW64\hwkgqkxxsofgvyfdt.exe	aqbwfcdvkal.exe
File created	C:\Windows\SysWOW64\fecicgdnsyzkjwnvvusyswt.iop	dgisq.exe
File opened for modification	C:\Windows\SysWOW64\aobwfykjdyoocekh.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\SysWOW64\uohixwottuqwqyknicvwlk.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\SysWOW64\qgvsdymnjgyaqucbsi.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\SysWOW64\dwoocarvuupunufhbumma.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\SysWOW64\aobwfykjdyoocekh.exe	dgisq.exe
File opened for modification	C:\Windows\SysWOW64\bsigsodfcatwnsbbtka.exe	dgisq.exe
File opened for modification	C:\Windows\SysWOW64\fecicgdnsyzkjwnvvusyswt.iop	dgisq.exe
File opened for modification	C:\Windows\SysWOW64\ogxwjgwzxwqumscdwofe.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\SysWOW64\hwkgqkxxsofgvyfdt.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\SysWOW64\uohixwottuqwqyknicvwlk.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\SysWOW64\hwkgqkxxsofgvyfdt.exe	dgisq.exe
File opened for modification	C:\Windows\SysWOW64\dwoocarvuupunufhbumma.exe	dgisq.exe
File opened for modification	C:\Windows\SysWOW64\hwkgqkxxsofgvyfdt.exe	dgisq.exe
File opened for modification	C:\Windows\SysWOW64\aobwfykjdyoocekh.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\SysWOW64\qgvsdymnjgyaqucbsi.exe	dgisq.exe
File created	C:\Windows\SysWOW64\sclchwezpgsoywyrcmvmrgojzqcyigibmw.wbq	dgisq.exe
File opened for modification	C:\Windows\SysWOW64\aobwfykjdyoocekh.exe	dgisq.exe
File opened for modification	C:\Windows\SysWOW64\qgvsdymnjgyaqucbsi.exe	dgisq.exe
File opened for modification	C:\Windows\SysWOW64\bsigsodfcatwnsbbtka.exe	dgisq.exe
File opened for modification	C:\Windows\SysWOW64\dwoocarvuupunufhbumma.exe	dgisq.exe
File opened for modification	C:\Windows\SysWOW64\uohixwottuqwqyknicvwlk.exe	dgisq.exe
File opened for modification	C:\Windows\SysWOW64\qgvsdymnjgyaqucbsi.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\SysWOW64\bsigsodfcatwnsbbtka.exe	aqbwfcdvkal.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\sclchwezpgsoywyrcmvmrgojzqcyigibmw.wbq	dgisq.exe
File opened for modification	C:\Program Files (x86)\fecicgdnsyzkjwnvvusyswt.iop	dgisq.exe
File created	C:\Program Files (x86)\fecicgdnsyzkjwnvvusyswt.iop	dgisq.exe
File opened for modification	C:\Program Files (x86)\sclchwezpgsoywyrcmvmrgojzqcyigibmw.wbq	dgisq.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\qgvsdymnjgyaqucbsi.exe	dgisq.exe
File opened for modification	C:\Windows\dwoocarvuupunufhbumma.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\aobwfykjdyoocekh.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\hwkgqkxxsofgvyfdt.exe	dgisq.exe
File opened for modification	C:\Windows\bsigsodfcatwnsbbtka.exe	dgisq.exe
File opened for modification	C:\Windows\qgvsdymnjgyaqucbsi.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\uohixwottuqwqyknicvwlk.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\bsigsodfcatwnsbbtka.exe	dgisq.exe
File opened for modification	C:\Windows\uohixwottuqwqyknicvwlk.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\uohixwottuqwqyknicvwlk.exe	dgisq.exe
File opened for modification	C:\Windows\ogxwjgwzxwqumscdwofe.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\fecicgdnsyzkjwnvvusyswt.iop	dgisq.exe
File opened for modification	C:\Windows\hwkgqkxxsofgvyfdt.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\dwoocarvuupunufhbumma.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\aobwfykjdyoocekh.exe	dgisq.exe
File opened for modification	C:\Windows\ogxwjgwzxwqumscdwofe.exe	dgisq.exe
File opened for modification	C:\Windows\dwoocarvuupunufhbumma.exe	dgisq.exe
File opened for modification	C:\Windows\uohixwottuqwqyknicvwlk.exe	dgisq.exe
File opened for modification	C:\Windows\sclchwezpgsoywyrcmvmrgojzqcyigibmw.wbq	dgisq.exe
File created	C:\Windows\sclchwezpgsoywyrcmvmrgojzqcyigibmw.wbq	dgisq.exe
File opened for modification	C:\Windows\hwkgqkxxsofgvyfdt.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\qgvsdymnjgyaqucbsi.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\dwoocarvuupunufhbumma.exe	dgisq.exe
File opened for modification	C:\Windows\aobwfykjdyoocekh.exe	dgisq.exe
File opened for modification	C:\Windows\hwkgqkxxsofgvyfdt.exe	dgisq.exe
File opened for modification	C:\Windows\ogxwjgwzxwqumscdwofe.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\ogxwjgwzxwqumscdwofe.exe	dgisq.exe
File created	C:\Windows\fecicgdnsyzkjwnvvusyswt.iop	dgisq.exe
File opened for modification	C:\Windows\aobwfykjdyoocekh.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\bsigsodfcatwnsbbtka.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\bsigsodfcatwnsbbtka.exe	aqbwfcdvkal.exe
File opened for modification	C:\Windows\qgvsdymnjgyaqucbsi.exe	dgisq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
4988	dgisq.exe
4988	dgisq.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
4988	dgisq.exe
4988	dgisq.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe
2520	b571cd68c97f16598cd6a75f9c68e471.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	dgisq.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 4688	2520	b571cd68c97f16598cd6a75f9c68e471.exe	91
PID 2520 wrote to memory of 4688	2520	b571cd68c97f16598cd6a75f9c68e471.exe	91
PID 2520 wrote to memory of 4688	2520	b571cd68c97f16598cd6a75f9c68e471.exe	91
PID 4688 wrote to memory of 4988	4688	aqbwfcdvkal.exe	92
PID 4688 wrote to memory of 4988	4688	aqbwfcdvkal.exe	92
PID 4688 wrote to memory of 4988	4688	aqbwfcdvkal.exe	92
PID 4688 wrote to memory of 2764	4688	aqbwfcdvkal.exe	93
PID 4688 wrote to memory of 2764	4688	aqbwfcdvkal.exe	93
PID 4688 wrote to memory of 2764	4688	aqbwfcdvkal.exe	93
PID 2520 wrote to memory of 1276	2520	b571cd68c97f16598cd6a75f9c68e471.exe	114
PID 2520 wrote to memory of 1276	2520	b571cd68c97f16598cd6a75f9c68e471.exe	114
PID 2520 wrote to memory of 1276	2520	b571cd68c97f16598cd6a75f9c68e471.exe	114

System policy modification 1 TTPs 41 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	dgisq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	dgisq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	dgisq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dgisq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	aqbwfcdvkal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	dgisq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	aqbwfcdvkal.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dgisq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	aqbwfcdvkal.exe

C:\Users\Admin\AppData\Local\Temp\b571cd68c97f16598cd6a75f9c68e471.exe
"C:\Users\Admin\AppData\Local\Temp\b571cd68c97f16598cd6a75f9c68e471.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\aqbwfcdvkal.exe
  "C:\Users\Admin\AppData\Local\Temp\aqbwfcdvkal.exe" "c:\users\admin\appdata\local\temp\b571cd68c97f16598cd6a75f9c68e471.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4688
- - C:\Users\Admin\AppData\Local\Temp\dgisq.exe
    "C:\Users\Admin\AppData\Local\Temp\dgisq.exe" "-C:\Users\Admin\AppData\Local\Temp\aobwfykjdyoocekh.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4988
- - C:\Users\Admin\AppData\Local\Temp\dgisq.exe
    "C:\Users\Admin\AppData\Local\Temp\dgisq.exe" "-C:\Users\Admin\AppData\Local\Temp\aobwfykjdyoocekh.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2764
- C:\Users\Admin\AppData\Local\Temp\aqbwfcdvkal.exe
  "C:\Users\Admin\AppData\Local\Temp\aqbwfcdvkal.exe" "c:\users\admin\appdata\local\temp\b571cd68c97f16598cd6a75f9c68e471.exe"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System policy modification
  PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\fecicgdnsyzkjwnvvusyswt.iop

Filesize
280B

MD5
c96e6de72cfd2898154a793c796cb1b8

SHA1
5d77b71f34739da72446171bed53df45ad12cd04

SHA256
422712c114b67ecb620ef4e71272589daa20c196a3b513149000246a460c5b0e

SHA512
004a680d17475046fe9fe7ee41556e0aa7e3482dd9ff2185956ed4e29ea8ff23406d4969e6a25e7f9af10d42597e3b43aeb448e6d7bb7cfa82c134468af46a7a

Download Submit
C:\Program Files (x86)\fecicgdnsyzkjwnvvusyswt.iop

Filesize
280B

MD5
c67f02b7ee0dac0fdb6136de65324993

SHA1
c786760d093f74abc60b1fd2b47c9e592d6f9b98

SHA256
a04a1d4dbf5fc6f44e2d434a1cdbb45e4b459b8d4ec707bfdb60b9676d22f145

SHA512
b1d12b804f916908d378a5a7d594eb088e5db7c5ddee5bda297fc8077295a255770bc4b00ec6bdd72eba1876e5f0b7028c2ba54110f48656188f0061f5dd2db7

Download Submit
C:\Program Files (x86)\fecicgdnsyzkjwnvvusyswt.iop

Filesize
280B

MD5
c6012512c628307dfd715c89770765c7

SHA1
fb8c8a0a75651c904ee50479c109b4cd54d11b61

SHA256
32377cfecc7527f13fab087613a030769fa30e329d40c5bd1c3ad02a19194ed9

SHA512
6eb4f1527eae007dfceab89dbf29fc723681bfcecce6cab5d3096a26abbdabd4e50eb1bfeb2f1ee8f6b0fb76c8f4c448e82362ff88a9b7e50ba38ec24e8fe5d8

Download Submit
C:\Program Files (x86)\fecicgdnsyzkjwnvvusyswt.iop

Filesize
280B

MD5
b3adef8bfdbdd8bb80e30c4e50b8806c

SHA1
581b3a7767a6023bc21ee191eb17517edbb995a8

SHA256
31a5157cceca60fe0bcfd692a1b752f5e28ace63a96b8053413f77b1f129fbc1

SHA512
7384a0b2532cb3beb56f79a8b58cbf855e697e5d710c596d360360362a90e7327594ebbe63bd2ebcf618968b27f1db032acc039b69b9cdc3d6200c8038766bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqbwfcdvkal.exe

Filesize
320KB

MD5
98e8a8293e1fef1b8a19e9f07eead41d

SHA1
e7ae62b3b101101aa154c297c5121d66dd4d09d5

SHA256
bcbd6ac7515d61fde8803a516f8cef2ea2ebfd00310d540076306b253231e3d2

SHA512
172ca52ca08b4db0517ff77450238592089272e6ac776228cc9e88e5a761161481b974b81c1e88446de6189b56ccf7f4fca8c4525b01451e5690dc423fdacd0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgisq.exe

Filesize
696KB

MD5
617ef1abd54b8f9fd8065de71b94b486

SHA1
e36d5d16cdda9c067f3c966a80869e02006b3c14

SHA256
8c7b3b1f2b840f66ec088177529a4921a5c7eeb3a3c85065a2db07844390bd1e

SHA512
1798cac3ec08e264e6e495e2db38d66e03cde54118bb1bb6abf0cf0d6f398f34ca8947419de6a5a53010aa871a93d91d0ecb7644441373226e502306d29fb2d7

Download Submit
C:\Users\Admin\AppData\Local\fecicgdnsyzkjwnvvusyswt.iop

Filesize
280B

MD5
21bb5603c67ad7b5f3f776ee42f4c3d8

SHA1
5f50488ffcff1802ea38612a94e0136b0ac2ef8a

SHA256
8c1bb2b4cbb2c67a7d4a133888aeab91aa3f645494c99a35959e0e8780ff65c0

SHA512
a1e9d1b747e85e5d48be6c3590050e9686fbdb4f20b7d9e6f19895241520eb72dead1b8afdba59f192605016ab768dba80836ebf518ecfb0b28ed75edf2899ba

Download Submit
C:\Users\Admin\AppData\Local\fecicgdnsyzkjwnvvusyswt.iop

Filesize
280B

MD5
55b17fe1244e68a658f57687e72b2bf7

SHA1
a2c314ccb25e2fae0e3aa6b6ed7256735b9e10b3

SHA256
957ba196e5d8abd8736386d67b9e0bcd68b28fa1b37541131962daae4ca69d57

SHA512
de0a4976fe662685720d2754905c7a22a84cf0a046f5b47d6658b2a1789a216d1efaefcf1d515dc56120660a65ca9dbf1a32078f2b86b896eda0f9ed0098ba45

Download Submit
C:\Users\Admin\AppData\Local\sclchwezpgsoywyrcmvmrgojzqcyigibmw.wbq

Filesize
4KB

MD5
8f2745b04d6a57947e72d3b92bed3da6

SHA1
d2bcb877bd96c63507659f6f92bb2eef808f7ae7

SHA256
8d444659d99cd7d2ac1774348ca13afe5abb7cffba24f1f51fa3c00df83b7180

SHA512
39fec571869b2bde664ffe9511b3a2018864be2d76e27e0ded8edb5ed3a5af40e5c4af5aed25a737145da8c75efdd7f7670356f024777d443729488fcc6330d1

Download Submit
C:\Windows\SysWOW64\qgvsdymnjgyaqucbsi.exe

Filesize
452KB

MD5
22c7ea37daef5af0a8bdeaa6f362e123

SHA1
fa0624d270fc76acc3568ca220a848532a579c75

SHA256
0c6de7e94b91d6e0f5a1968adbe547391bccbfa37815a296ef807da007d1465a

SHA512
882bdf73fd3e815ea0d32cfcb99c1a3fc7fc7620f330696984bf9ae0ea84523c4f5a09338ec572e20d67327c903be42c436e3051e2a4a6a537845c1291d42c8f

Download Submit
C:\Windows\bsigsodfcatwnsbbtka.exe

Filesize
644KB

MD5
b571cd68c97f16598cd6a75f9c68e471

SHA1
e9140a31d28af6033dd9e58f73b2e1891dafda6d

SHA256
dc1b07a52af475827944cf1bdd0c8468fe428e5cece300227ca3c54ebc5e3e65

SHA512
3b348101ca228acb557dc851d4192ea71aad03fc50298e494c464148b8a4170724e297381b92d4f1a6f5d2ad1a9712ba4b7175986e4d965bc6ce46e9119ce53b

Download Submit
C:\qwbopaev.bat

Filesize
548KB

MD5
7447dfec4d0f2fbd9c10678afb197c6c

SHA1
bde5af8ed66e4371ef440d31183e6f98987ac75d

SHA256
d937e4ee4ed984c2b086c6872f5073417f5190e9e4aeb4e658efda596894f035

SHA512
d46e9bc994e65c218f229929471aa93a62172aa7bbc756cbc89238dc26d288671619fe51d5c3113ca524e8f28a765c4d459a866c6ec97a758047e00515266470

Download Submit