935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Size

3.1MB
MD5

3fb337060f0ea713c705ac50554a2a39
SHA1

6bd0d3de0c29d01380c1c170cf4dd62be3e1733c
SHA256

935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4
SHA512

a6571e7d9fc514cab1f43735aa5740be3506336380d496620d82466b720a540d99feb15d3887259faa4efda4f9512a38a6080787f7d87040a1170868357d6bf0
SSDEEP

12288:/OkiCpat4FU6JXKqGMYK8ZgkPJQPDHvd:/Oeat4FzJXKRMYK2ge4V

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	cahsaiq.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cahsaiq.exe

Adds policy Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wyjykwireja = "biysjarfxhdfavfp.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wyjykwireja = "iqhcumetmxuxtpalu.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wyjykwireja = "rasohatjdpnrolxjtz.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wyjykwireja = "cmfcwqkbwjinljwjubg.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rqyktclr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqhcumetmxuxtpalu.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wyjykwireja = "pausnidvrfflkjxlxflw.exe"	cahsaiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wyjykwireja = "rasohatjdpnrolxjtz.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rqyktclr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqhcumetmxuxtpalu.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rqyktclr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rasohatjdpnrolxjtz.exe"	cahsaiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wyjykwireja = "cmfcwqkbwjinljwjubg.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rqyktclr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\biysjarfxhdfavfp.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rqyktclr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pausnidvrfflkjxlxflw.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wyjykwireja = "biysjarfxhdfavfp.exe"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rqyktclr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqlkgcyrodelllapclsez.exe"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wyjykwireja = "biysjarfxhdfavfp.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rqyktclr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmfcwqkbwjinljwjubg.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wyjykwireja = "pausnidvrfflkjxlxflw.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wyjykwireja = "iqhcumetmxuxtpalu.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rqyktclr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\biysjarfxhdfavfp.exe"	cahsaiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rqyktclr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqlkgcyrodelllapclsez.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rqyktclr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqlkgcyrodelllapclsez.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rqyktclr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pausnidvrfflkjxlxflw.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rqyktclr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rasohatjdpnrolxjtz.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rqyktclr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmfcwqkbwjinljwjubg.exe"	cahsaiq.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cahsaiq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cahsaiq.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe

Executes dropped EXE 2 IoCs

pid	Process
3628	cahsaiq.exe
1284	cahsaiq.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iireoyipa = "cmfcwqkbwjinljwjubg.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bcmalwhpbf = "rasohatjdpnrolxjtz.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tymetixjzhbbun = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqhcumetmxuxtpalu.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\swjaocqbqxqph = "rasohatjdpnrolxjtz.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcrkaqgtktopjdm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\biysjarfxhdfavfp.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iireoyipa = "eqlkgcyrodelllapclsez.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tymetixjzhbbun = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rasohatjdpnrolxjtz.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bcmalwhpbf = "cmfcwqkbwjinljwjubg.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\swjaocqbqxqph = "cmfcwqkbwjinljwjubg.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\swjaocqbqxqph = "iqhcumetmxuxtpalu.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bcmalwhpbf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmfcwqkbwjinljwjubg.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bcmalwhpbf = "eqlkgcyrodelllapclsez.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bcmalwhpbf = "eqlkgcyrodelllapclsez.exe ."	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bcmalwhpbf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqhcumetmxuxtpalu.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iireoyipa = "rasohatjdpnrolxjtz.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcrkaqgtktopjdm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqhcumetmxuxtpalu.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iireoyipa = "biysjarfxhdfavfp.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bcmalwhpbf = "rasohatjdpnrolxjtz.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\swjaocqbqxqph = "eqlkgcyrodelllapclsez.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tymetixjzhbbun = "C:\\Users\\Admin\\AppData\\Local\\Temp\\biysjarfxhdfavfp.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcrkaqgtktopjdm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmfcwqkbwjinljwjubg.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bcmalwhpbf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqhcumetmxuxtpalu.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bcmalwhpbf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pausnidvrfflkjxlxflw.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bcmalwhpbf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pausnidvrfflkjxlxflw.exe ."	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bcmalwhpbf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\biysjarfxhdfavfp.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tymetixjzhbbun = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pausnidvrfflkjxlxflw.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bcmalwhpbf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pausnidvrfflkjxlxflw.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tymetixjzhbbun = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmfcwqkbwjinljwjubg.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\twiylylvjphf = "iqhcumetmxuxtpalu.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\twiylylvjphf = "pausnidvrfflkjxlxflw.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bcmalwhpbf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\biysjarfxhdfavfp.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bcmalwhpbf = "iqhcumetmxuxtpalu.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iireoyipa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmfcwqkbwjinljwjubg.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iireoyipa = "iqhcumetmxuxtpalu.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcrkaqgtktopjdm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmfcwqkbwjinljwjubg.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcrkaqgtktopjdm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rasohatjdpnrolxjtz.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bcmalwhpbf = "pausnidvrfflkjxlxflw.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bcmalwhpbf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqlkgcyrodelllapclsez.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iireoyipa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqhcumetmxuxtpalu.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iireoyipa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\biysjarfxhdfavfp.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\swjaocqbqxqph = "iqhcumetmxuxtpalu.exe ."	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\twiylylvjphf = "eqlkgcyrodelllapclsez.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iireoyipa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmfcwqkbwjinljwjubg.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\twiylylvjphf = "iqhcumetmxuxtpalu.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iireoyipa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rasohatjdpnrolxjtz.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iireoyipa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\biysjarfxhdfavfp.exe"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\twiylylvjphf = "rasohatjdpnrolxjtz.exe"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tymetixjzhbbun = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pausnidvrfflkjxlxflw.exe ."	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\twiylylvjphf = "eqlkgcyrodelllapclsez.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tymetixjzhbbun = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqlkgcyrodelllapclsez.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bcmalwhpbf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rasohatjdpnrolxjtz.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\swjaocqbqxqph = "eqlkgcyrodelllapclsez.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bcmalwhpbf = "biysjarfxhdfavfp.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iireoyipa = "pausnidvrfflkjxlxflw.exe"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\swjaocqbqxqph = "iqhcumetmxuxtpalu.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iireoyipa = "iqhcumetmxuxtpalu.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wcrkaqgtktopjdm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqlkgcyrodelllapclsez.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iireoyipa = "pausnidvrfflkjxlxflw.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\swjaocqbqxqph = "biysjarfxhdfavfp.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iireoyipa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pausnidvrfflkjxlxflw.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iireoyipa = "pausnidvrfflkjxlxflw.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\twiylylvjphf = "rasohatjdpnrolxjtz.exe"	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\swjaocqbqxqph = "rasohatjdpnrolxjtz.exe ."	cahsaiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\twiylylvjphf = "rasohatjdpnrolxjtz.exe"	cahsaiq.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cahsaiq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cahsaiq.exe

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	www.whatismyip.ca
11	www.showmyipaddress.com
13	www.whatismyip.ca
14	whatismyipaddress.com
15	www.whatismyip.ca
16	whatismyipaddress.com
3	whatismyipaddress.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\wyjykwirejaxndinqpmozoamyhuzqndty.gfc	cahsaiq.exe
File opened for modification	C:\Windows\SysWOW64\fwwabcdbdxdpuztnftfwwa.cdb	cahsaiq.exe
File created	C:\Windows\SysWOW64\fwwabcdbdxdpuztnftfwwa.cdb	cahsaiq.exe
File opened for modification	C:\Windows\SysWOW64\wyjykwirejaxndinqpmozoamyhuzqndty.gfc	cahsaiq.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\fwwabcdbdxdpuztnftfwwa.cdb	cahsaiq.exe
File created	C:\Program Files (x86)\fwwabcdbdxdpuztnftfwwa.cdb	cahsaiq.exe
File opened for modification	C:\Program Files (x86)\wyjykwirejaxndinqpmozoamyhuzqndty.gfc	cahsaiq.exe
File created	C:\Program Files (x86)\wyjykwirejaxndinqpmozoamyhuzqndty.gfc	cahsaiq.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\fwwabcdbdxdpuztnftfwwa.cdb	cahsaiq.exe
File created	C:\Windows\fwwabcdbdxdpuztnftfwwa.cdb	cahsaiq.exe
File opened for modification	C:\Windows\wyjykwirejaxndinqpmozoamyhuzqndty.gfc	cahsaiq.exe
File created	C:\Windows\wyjykwirejaxndinqpmozoamyhuzqndty.gfc	cahsaiq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	cahsaiq.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	cahsaiq.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1284	cahsaiq.exe
1284	cahsaiq.exe
1284	cahsaiq.exe
1284	cahsaiq.exe
1284	cahsaiq.exe
1284	cahsaiq.exe
1284	cahsaiq.exe
1284	cahsaiq.exe
1284	cahsaiq.exe
1284	cahsaiq.exe
1284	cahsaiq.exe
1284	cahsaiq.exe
1284	cahsaiq.exe
1284	cahsaiq.exe
1284	cahsaiq.exe
1284	cahsaiq.exe
1284	cahsaiq.exe
1284	cahsaiq.exe
1284	cahsaiq.exe
1284	cahsaiq.exe
1284	cahsaiq.exe
1284	cahsaiq.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3628	cahsaiq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	cahsaiq.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 3628	2812	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe	81
PID 2812 wrote to memory of 3628	2812	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe	81
PID 2812 wrote to memory of 3628	2812	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe	81
PID 2812 wrote to memory of 1284	2812	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe	82
PID 2812 wrote to memory of 1284	2812	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe	82
PID 2812 wrote to memory of 1284	2812	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe	82

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	cahsaiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cahsaiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cahsaiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cahsaiq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	cahsaiq.exe

C:\Users\Admin\AppData\Local\Temp\935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe
"C:\Users\Admin\AppData\Local\Temp\935064aadf93e4790cbc4d84a324f4e851c316a94f8a8c409e5fd165f20ff6b4.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2812
- C:\Users\Admin\AppData\Local\Temp\cahsaiq.exe
  "C:\Users\Admin\AppData\Local\Temp\cahsaiq.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - System policy modification
  PID:3628
- C:\Users\Admin\AppData\Local\Temp\cahsaiq.exe
  "C:\Users\Admin\AppData\Local\Temp\cahsaiq.exe" "-"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1284

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cahsaiq.exe

Filesize
4.4MB

MD5
9af273f7e98931587b2491c308effdf8

SHA1
4ec6265707cb7e1ea3c1b4d679c2c222f52eeb0b

SHA256
cbae867b9caae26bf0f511731c0e4d7ad0558d685b03ce675264fd2485cfb9ab

SHA512
06cefd99377f3b28dfe6757d71e43dc5e73b956b0f77eaefe0b852858495750ca9c5df1a8b60332c5a94e1cfdad1a712f2dea01ab3198067c77f5e4e84f5858e

Download Submit
C:\Users\Admin\AppData\Local\fwwabcdbdxdpuztnftfwwa.cdb

Filesize
272B

MD5
8738176c8e086b8be8409eaf8cb42a47

SHA1
465097a4237dae27760ca9cbf1bdec4557383335

SHA256
8411ee38e136cfecefeb628b51308b28c3e8da424a1f07679f3ddaf8723eb9a2

SHA512
10a01adbbf24b994131b700d349dcf4c10fd043ea8de1d9452be3dd6226779d5e5a8c82890209629a68cef678824b0241a5150f074d6ea62aeb7fc071e318979

Download Submit
C:\Users\Admin\AppData\Local\wyjykwirejaxndinqpmozoamyhuzqndty.gfc

Filesize
3KB

MD5
c52d7724e2a8d3b61637bcfca3e7a214

SHA1
a442ebef5844b643ee24f7650585cf3e38f8f619

SHA256
bbfc02c6878512f2489b21bc8727aace5b862ead15f816fcce1b66b007695341

SHA512
0f1b72b00e06e27111aec4d4123d37cd3b619db7e98dd0998b188a9cebc0209e9e400e7d8cf0a64723c5f49cbcb394232a0e25986742af86606c1ed9f0c905a5

Download Submit