Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14-08-2024 15:24
Static task
static1
Behavioral task
behavioral1
Sample
37dabbe49da270a4867b67bcbdf26110N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
37dabbe49da270a4867b67bcbdf26110N.exe
Resource
win10v2004-20240802-en
General
-
Target
37dabbe49da270a4867b67bcbdf26110N.exe
-
Size
568KB
-
MD5
37dabbe49da270a4867b67bcbdf26110
-
SHA1
67ff7fe72202bd7df0addd19f1b771b19576222e
-
SHA256
2b57890accb6a045723f3cc849ab93df9c35a4d68574387177b733bda715f0b9
-
SHA512
386f25df7d1c1e2320c0ad5f69a0279a7e5c837e5378598ea99a2d05f410e4364e82c607aebae45da9fb9ba6f1b1510443be719fb5f4cfab9f7c8b8340238b89
-
SSDEEP
12288:6pUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqsi7KaIr:6pUNr6YkVRFkgbeqeo68FhqT7KaIr
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bfvvvpvslpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bfnnx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bfvvvpvslpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bfvvvpvslpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bfvvvpvslpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bfvvvpvslpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bfnnx.exe -
Adds policy Run key to start application 2 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdrxnwinykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfcrqidrlgmzyhqtioib.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdudwixftiipil = "fvpbxmepgyblhnttf.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdudwixftiipil = "bvtjjcynielzzjtxnupjh.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdudwixftiipil = "yngrmarbriktotyx.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdudwixftiipil = "ofankatfxqufcjqrei.exe" bfnnx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bfvvvpvslpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdrxnwinykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yngrmarbriktotyx.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdudwixftiipil = "fvpbxmepgyblhnttf.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdrxnwinykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrnbzqkxqkpbzhprfkd.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdrxnwinykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fvpbxmepgyblhnttf.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdrxnwinykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofankatfxqufcjqrei.exe" bfvvvpvslpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdudwixftiipil = "zrnbzqkxqkpbzhprfkd.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdrxnwinykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfcrqidrlgmzyhqtioib.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdudwixftiipil = "bvtjjcynielzzjtxnupjh.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdudwixftiipil = "mfcrqidrlgmzyhqtioib.exe" bfvvvpvslpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qdudwixftiipil = "zrnbzqkxqkpbzhprfkd.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdrxnwinykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofankatfxqufcjqrei.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tdrxnwinykh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofankatfxqufcjqrei.exe" bfnnx.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bfvvvpvslpf.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bfnnx.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bfnnx.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bfvvvpvslpf.exe -
Executes dropped EXE 3 IoCs
pid Process 2396 bfvvvpvslpf.exe 1704 bfnnx.exe 2656 bfnnx.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend bfnnx.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc bfnnx.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power bfnnx.exe -
Loads dropped DLL 6 IoCs
pid Process 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2396 bfvvvpvslpf.exe 2396 bfvvvpvslpf.exe 2396 bfvvvpvslpf.exe 2396 bfvvvpvslpf.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yngrmarbriktotyx = "bvtjjcynielzzjtxnupjh.exe ." bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbqxoylrdqot = "mfcrqidrlgmzyhqtioib.exe" bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\thzjdqgpeuvdxbf = "ofankatfxqufcjqrei.exe" bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\qbqxoylrdqot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrnbzqkxqkpbzhprfkd.exe" bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yngrmarbriktotyx = "yngrmarbriktotyx.exe ." bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\qbqxoylrdqot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yngrmarbriktotyx.exe" bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yngrmarbriktotyx = "bvtjjcynielzzjtxnupjh.exe ." bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbrzrcqxkyxdv = "fvpbxmepgyblhnttf.exe ." bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fvpbxmepgyblhnttf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fvpbxmepgyblhnttf.exe ." bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\qbqxoylrdqot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfcrqidrlgmzyhqtioib.exe" bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yngrmarbriktotyx = "ofankatfxqufcjqrei.exe ." bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\thzjdqgpeuvdxbf = "mfcrqidrlgmzyhqtioib.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbqxoylrdqot = "zrnbzqkxqkpbzhprfkd.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ofankatfxqufcjqrei = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yngrmarbriktotyx.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbqxoylrdqot = "yngrmarbriktotyx.exe" bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\qbqxoylrdqot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofankatfxqufcjqrei.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ofankatfxqufcjqrei = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrnbzqkxqkpbzhprfkd.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ofankatfxqufcjqrei = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofankatfxqufcjqrei.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbrzrcqxkyxdv = "zrnbzqkxqkpbzhprfkd.exe ." bfvvvpvslpf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pbrzrcqxkyxdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfcrqidrlgmzyhqtioib.exe ." bfvvvpvslpf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yngrmarbriktotyx = "yngrmarbriktotyx.exe ." bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\thzjdqgpeuvdxbf = "zrnbzqkxqkpbzhprfkd.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ofankatfxqufcjqrei = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrnbzqkxqkpbzhprfkd.exe" bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yngrmarbriktotyx = "zrnbzqkxqkpbzhprfkd.exe ." bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\qbqxoylrdqot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfcrqidrlgmzyhqtioib.exe" bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\qbqxoylrdqot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrnbzqkxqkpbzhprfkd.exe" bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\thzjdqgpeuvdxbf = "fvpbxmepgyblhnttf.exe" bfvvvpvslpf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yngrmarbriktotyx = "ofankatfxqufcjqrei.exe ." bfvvvpvslpf.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pbrzrcqxkyxdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfcrqidrlgmzyhqtioib.exe ." bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fvpbxmepgyblhnttf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrnbzqkxqkpbzhprfkd.exe ." bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yngrmarbriktotyx = "mfcrqidrlgmzyhqtioib.exe ." bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ofankatfxqufcjqrei = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfcrqidrlgmzyhqtioib.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbrzrcqxkyxdv = "fvpbxmepgyblhnttf.exe ." bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbqxoylrdqot = "fvpbxmepgyblhnttf.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbqxoylrdqot = "bvtjjcynielzzjtxnupjh.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbrzrcqxkyxdv = "bvtjjcynielzzjtxnupjh.exe ." bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fvpbxmepgyblhnttf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofankatfxqufcjqrei.exe ." bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fvpbxmepgyblhnttf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yngrmarbriktotyx.exe ." bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\thzjdqgpeuvdxbf = "yngrmarbriktotyx.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fvpbxmepgyblhnttf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yngrmarbriktotyx.exe ." bfvvvpvslpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ofankatfxqufcjqrei = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvtjjcynielzzjtxnupjh.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fvpbxmepgyblhnttf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yngrmarbriktotyx.exe ." bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fvpbxmepgyblhnttf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvtjjcynielzzjtxnupjh.exe ." bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pbrzrcqxkyxdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfcrqidrlgmzyhqtioib.exe ." bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbrzrcqxkyxdv = "zrnbzqkxqkpbzhprfkd.exe ." bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbqxoylrdqot = "bvtjjcynielzzjtxnupjh.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbrzrcqxkyxdv = "bvtjjcynielzzjtxnupjh.exe ." bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\qbqxoylrdqot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrnbzqkxqkpbzhprfkd.exe" bfvvvpvslpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbqxoylrdqot = "zrnbzqkxqkpbzhprfkd.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ofankatfxqufcjqrei = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yngrmarbriktotyx.exe" bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\thzjdqgpeuvdxbf = "zrnbzqkxqkpbzhprfkd.exe" bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pbrzrcqxkyxdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvtjjcynielzzjtxnupjh.exe ." bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yngrmarbriktotyx = "mfcrqidrlgmzyhqtioib.exe ." bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fvpbxmepgyblhnttf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofankatfxqufcjqrei.exe ." bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fvpbxmepgyblhnttf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrnbzqkxqkpbzhprfkd.exe ." bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qbqxoylrdqot = "ofankatfxqufcjqrei.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ofankatfxqufcjqrei = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofankatfxqufcjqrei.exe" bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\thzjdqgpeuvdxbf = "yngrmarbriktotyx.exe" bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yngrmarbriktotyx = "fvpbxmepgyblhnttf.exe ." bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ofankatfxqufcjqrei = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fvpbxmepgyblhnttf.exe" bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fvpbxmepgyblhnttf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fvpbxmepgyblhnttf.exe ." bfnnx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbrzrcqxkyxdv = "ofankatfxqufcjqrei.exe ." bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pbrzrcqxkyxdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofankatfxqufcjqrei.exe ." bfnnx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pbrzrcqxkyxdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yngrmarbriktotyx.exe ." bfnnx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bfvvvpvslpf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bfvvvpvslpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bfnnx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bfnnx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bfnnx.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bfvvvpvslpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bfnnx.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 www.showmyipaddress.com 5 whatismyip.everdot.org 6 whatismyipaddress.com 10 www.whatismyip.ca -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf bfnnx.exe File created F:\autorun.inf bfnnx.exe File opened for modification C:\autorun.inf bfnnx.exe File created C:\autorun.inf bfnnx.exe -
Drops file in System32 directory 25 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ofankatfxqufcjqrei.exe bfnnx.exe File opened for modification C:\Windows\SysWOW64\snmdeyvlhembcnyducytsj.exe bfnnx.exe File opened for modification C:\Windows\SysWOW64\fvpbxmepgyblhnttf.exe bfvvvpvslpf.exe File opened for modification C:\Windows\SysWOW64\mfcrqidrlgmzyhqtioib.exe bfnnx.exe File opened for modification C:\Windows\SysWOW64\yhuzowhlvgcfutslqmwfsxmufjteadsr.jok bfnnx.exe File opened for modification C:\Windows\SysWOW64\snmdeyvlhembcnyducytsj.exe bfvvvpvslpf.exe File opened for modification C:\Windows\SysWOW64\bvtjjcynielzzjtxnupjh.exe bfnnx.exe File opened for modification C:\Windows\SysWOW64\fvpbxmepgyblhnttf.exe bfnnx.exe File opened for modification C:\Windows\SysWOW64\dbdxbyyrqqbtxlzhbmljl.jgg bfnnx.exe File opened for modification C:\Windows\SysWOW64\zrnbzqkxqkpbzhprfkd.exe bfnnx.exe File opened for modification C:\Windows\SysWOW64\mfcrqidrlgmzyhqtioib.exe bfnnx.exe File opened for modification C:\Windows\SysWOW64\bvtjjcynielzzjtxnupjh.exe bfvvvpvslpf.exe File opened for modification C:\Windows\SysWOW64\yngrmarbriktotyx.exe bfnnx.exe File created C:\Windows\SysWOW64\dbdxbyyrqqbtxlzhbmljl.jgg bfnnx.exe File opened for modification C:\Windows\SysWOW64\snmdeyvlhembcnyducytsj.exe bfnnx.exe File opened for modification C:\Windows\SysWOW64\bvtjjcynielzzjtxnupjh.exe bfnnx.exe File opened for modification C:\Windows\SysWOW64\yngrmarbriktotyx.exe bfvvvpvslpf.exe File opened for modification C:\Windows\SysWOW64\mfcrqidrlgmzyhqtioib.exe bfvvvpvslpf.exe File opened for modification C:\Windows\SysWOW64\fvpbxmepgyblhnttf.exe bfnnx.exe File opened for modification C:\Windows\SysWOW64\ofankatfxqufcjqrei.exe bfnnx.exe File opened for modification C:\Windows\SysWOW64\yngrmarbriktotyx.exe bfnnx.exe File created C:\Windows\SysWOW64\yhuzowhlvgcfutslqmwfsxmufjteadsr.jok bfnnx.exe File opened for modification C:\Windows\SysWOW64\ofankatfxqufcjqrei.exe bfvvvpvslpf.exe File opened for modification C:\Windows\SysWOW64\zrnbzqkxqkpbzhprfkd.exe bfvvvpvslpf.exe File opened for modification C:\Windows\SysWOW64\zrnbzqkxqkpbzhprfkd.exe bfnnx.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\dbdxbyyrqqbtxlzhbmljl.jgg bfnnx.exe File created C:\Program Files (x86)\dbdxbyyrqqbtxlzhbmljl.jgg bfnnx.exe File opened for modification C:\Program Files (x86)\yhuzowhlvgcfutslqmwfsxmufjteadsr.jok bfnnx.exe File created C:\Program Files (x86)\yhuzowhlvgcfutslqmwfsxmufjteadsr.jok bfnnx.exe -
Drops file in Windows directory 25 IoCs
description ioc Process File opened for modification C:\Windows\fvpbxmepgyblhnttf.exe bfvvvpvslpf.exe File opened for modification C:\Windows\zrnbzqkxqkpbzhprfkd.exe bfnnx.exe File opened for modification C:\Windows\ofankatfxqufcjqrei.exe bfnnx.exe File opened for modification C:\Windows\snmdeyvlhembcnyducytsj.exe bfnnx.exe File created C:\Windows\yhuzowhlvgcfutslqmwfsxmufjteadsr.jok bfnnx.exe File opened for modification C:\Windows\yngrmarbriktotyx.exe bfnnx.exe File opened for modification C:\Windows\zrnbzqkxqkpbzhprfkd.exe bfnnx.exe File opened for modification C:\Windows\dbdxbyyrqqbtxlzhbmljl.jgg bfnnx.exe File created C:\Windows\dbdxbyyrqqbtxlzhbmljl.jgg bfnnx.exe File opened for modification C:\Windows\mfcrqidrlgmzyhqtioib.exe bfnnx.exe File opened for modification C:\Windows\yngrmarbriktotyx.exe bfnnx.exe File opened for modification C:\Windows\ofankatfxqufcjqrei.exe bfnnx.exe File opened for modification C:\Windows\bvtjjcynielzzjtxnupjh.exe bfnnx.exe File opened for modification C:\Windows\mfcrqidrlgmzyhqtioib.exe bfvvvpvslpf.exe File opened for modification C:\Windows\bvtjjcynielzzjtxnupjh.exe bfvvvpvslpf.exe File opened for modification C:\Windows\mfcrqidrlgmzyhqtioib.exe bfnnx.exe File opened for modification C:\Windows\fvpbxmepgyblhnttf.exe bfnnx.exe File opened for modification C:\Windows\bvtjjcynielzzjtxnupjh.exe bfnnx.exe File opened for modification C:\Windows\yngrmarbriktotyx.exe bfvvvpvslpf.exe File opened for modification C:\Windows\snmdeyvlhembcnyducytsj.exe bfvvvpvslpf.exe File opened for modification C:\Windows\yhuzowhlvgcfutslqmwfsxmufjteadsr.jok bfnnx.exe File opened for modification C:\Windows\ofankatfxqufcjqrei.exe bfvvvpvslpf.exe File opened for modification C:\Windows\zrnbzqkxqkpbzhprfkd.exe bfvvvpvslpf.exe File opened for modification C:\Windows\fvpbxmepgyblhnttf.exe bfnnx.exe File opened for modification C:\Windows\snmdeyvlhembcnyducytsj.exe bfnnx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 37dabbe49da270a4867b67bcbdf26110N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfvvvpvslpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bfnnx.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2656 bfnnx.exe 2656 bfnnx.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2656 bfnnx.exe 2656 bfnnx.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2656 bfnnx.exe 2656 bfnnx.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2656 bfnnx.exe 2656 bfnnx.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2656 bfnnx.exe 2656 bfnnx.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2656 bfnnx.exe 2656 bfnnx.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2656 bfnnx.exe 2656 bfnnx.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2656 bfnnx.exe 2656 bfnnx.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2656 bfnnx.exe 2656 bfnnx.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2656 bfnnx.exe 2656 bfnnx.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2656 bfnnx.exe 2656 bfnnx.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2864 37dabbe49da270a4867b67bcbdf26110N.exe 2656 bfnnx.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2656 bfnnx.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2864 wrote to memory of 2396 2864 37dabbe49da270a4867b67bcbdf26110N.exe 30 PID 2864 wrote to memory of 2396 2864 37dabbe49da270a4867b67bcbdf26110N.exe 30 PID 2864 wrote to memory of 2396 2864 37dabbe49da270a4867b67bcbdf26110N.exe 30 PID 2864 wrote to memory of 2396 2864 37dabbe49da270a4867b67bcbdf26110N.exe 30 PID 2396 wrote to memory of 2656 2396 bfvvvpvslpf.exe 31 PID 2396 wrote to memory of 2656 2396 bfvvvpvslpf.exe 31 PID 2396 wrote to memory of 2656 2396 bfvvvpvslpf.exe 31 PID 2396 wrote to memory of 2656 2396 bfvvvpvslpf.exe 31 PID 2396 wrote to memory of 1704 2396 bfvvvpvslpf.exe 32 PID 2396 wrote to memory of 1704 2396 bfvvvpvslpf.exe 32 PID 2396 wrote to memory of 1704 2396 bfvvvpvslpf.exe 32 PID 2396 wrote to memory of 1704 2396 bfvvvpvslpf.exe 32 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bfvvvpvslpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bfvvvpvslpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bfvvvpvslpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bfvvvpvslpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bfvvvpvslpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bfvvvpvslpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bfnnx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bfvvvpvslpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bfvvvpvslpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bfvvvpvslpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bfvvvpvslpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bfnnx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bfvvvpvslpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bfvvvpvslpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bfnnx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bfnnx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\37dabbe49da270a4867b67bcbdf26110N.exe"C:\Users\Admin\AppData\Local\Temp\37dabbe49da270a4867b67bcbdf26110N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\bfvvvpvslpf.exe"C:\Users\Admin\AppData\Local\Temp\bfvvvpvslpf.exe" "c:\users\admin\appdata\local\temp\37dabbe49da270a4867b67bcbdf26110n.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\bfnnx.exe"C:\Users\Admin\AppData\Local\Temp\bfnnx.exe" "-C:\Users\Admin\AppData\Local\Temp\yngrmarbriktotyx.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2656
-
-
C:\Users\Admin\AppData\Local\Temp\bfnnx.exe"C:\Users\Admin\AppData\Local\Temp\bfnnx.exe" "-C:\Users\Admin\AppData\Local\Temp\yngrmarbriktotyx.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1704
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD53fd227980d75a1a8676860dd3ef69b73
SHA1ed064c88359c648f95115b2f63aa8ea579feaa45
SHA25685c202e4b3c07333c97426cc876ad2418185645403276fdfb2e1359ac8216205
SHA512106f26ec98602d90f8e06eee04af663263f05330bbee9f142f4ae933c9454d51b62bd6665ba30e358ab0fac6786ce7679efaf9d92e63b6ea268c38f2cc7db09b
-
Filesize
280B
MD51abf33531ecad3e8a5b9c6ee7be765ee
SHA1ffd46840e3f4e62021e426bd2cc77715657ca45d
SHA25670224c5e10a4bde89ff2a8d9ed5bebd9d67d0cae7b2445c934aa987ee2e2cf20
SHA51245b8d5a880a65dcc156a3025712347db1df4c2a50f37457b2d52ff73dc549e878a86e300f2b24481d7b1b6c304bffa46cb8c5c9682d34793f632c96d2a4da053
-
Filesize
280B
MD5950600f9024bb2d6ead861640f851425
SHA11739d60272499252ab0e6386361faa06d974ce31
SHA25681cc8c5b8414d6a95fc1cf64d801e6a95b56bcce211de79bfe996619b3f1dee6
SHA512a3113880f5ecf437a30113d642e417a279826f5f781949744ad49cf8c6d917793e8fcd22eca1c3a929c70ae1119ea4574f6bfdea827502901b7b561d557978a8
-
Filesize
280B
MD5afd61067dea574a4c9d7ddd239a7b071
SHA1a5b0709edfb18712dbb76ee4dc72efff8748cc25
SHA25616b0435dda88f91e643ea1afa4347d8750139fa068bd45298849b34a492f81b8
SHA512c36e832a0a8b7779f42c069b10fb3f1bd1b1bc967869e50fa2c22648ca7577f80b945e4b99dcff20a6ec2bf7ed109aafbbb9b81db764bb7bebafdb217e41df0d
-
Filesize
280B
MD532496e0e1a294c6e439afd50fd03ac3b
SHA114eebfe112f901fb1248ed32ca4287f6db189ac2
SHA256470dd68fd38c7428618104a6c448a45996c91b70b49aa0623728219e1bbbf79d
SHA51288083647775c4e460e14e2b2657efebb2c0e379e33709941113679936fc51a6a4d83c878587f08d67f1453017bf5419592e112f08318fb440602bfdc296bb7ea
-
Filesize
280B
MD5546f36f62f7fe0573a376d3704259191
SHA13133d5fe10ab6c0ee2ebe380784c93f31fa9d0aa
SHA256e07dd599f5b077446bb370434d96d8ab6d4bd3d41b040de59b09e2e0734092cf
SHA512e28b6e3ee8dd9bb8a720f8a0cb98b0f5dc4930262f530f11566b689d88ee7ece5942420cb61373e4af46ca21994dbfa25675749377daa94e95f8e558b078bd01
-
Filesize
4KB
MD592c9295ef18265a6a380feafbe5f0084
SHA1e5914ad562fbe3393e035baa1c31c110ec0b0fdf
SHA25619d48cb32a6151d521614742c6ef8234c3207baf2d07c8731e5448c2b65965ba
SHA512df4f3c27cf5a4b95ce08286d219df5ee2e06a57ad3ebd505fdfc788be7f333537b75cc8a815daee4208bd51756155fc125752754911ab67ac0d9d5b9ff4d86d0
-
Filesize
568KB
MD537dabbe49da270a4867b67bcbdf26110
SHA167ff7fe72202bd7df0addd19f1b771b19576222e
SHA2562b57890accb6a045723f3cc849ab93df9c35a4d68574387177b733bda715f0b9
SHA512386f25df7d1c1e2320c0ad5f69a0279a7e5c837e5378598ea99a2d05f410e4364e82c607aebae45da9fb9ba6f1b1510443be719fb5f4cfab9f7c8b8340238b89
-
Filesize
496KB
MD55e71f47c46a7988db192c12704abc5d8
SHA15befc4cf9ad0c1028fbfb72c69c8b7f99ca01f10
SHA2562cafe011377cbd1d1ca9291e599f6707d061e764e6b3c561a7ff615ddc2c8ef5
SHA512e8e4b290822811d8786d43d1a2d4477c5321f717413e1a167c71cb6da50b1c3c3df946bd1fc75b741c15a6c1bc81a17abc1037a917b5b82f5ff33fa8d3dcc987
-
Filesize
708KB
MD569d76e82e4c8597a3c0e2408edc79838
SHA1955611b88b5313abdf58b599fc13c929d6e5ffec
SHA256245b5f04bff0c95a1c66ee8d5c1e9f559256034f9f2389585cebf08e6764701a
SHA512edf2902e6d6450f8a04d232a96485b1c54e4d457d5377733336acaa8f450db3876094bc2725036992411e75f6f7c8807642187dcb46a2e93b642b37b4f1dea62
-
Filesize
320KB
MD5a44eb5eef3ca839b339c12b436fa2cc2
SHA1722c3dc39f0b5228b77988c8445d0e68b43d28a0
SHA2561071edb8bc287d8feea57d35f7f7ebcf484458d67cf53713fe973d2d7b8cf42e
SHA51238c3daeca058928fb05d338d2da51b24679b1fe19ba2b18c8f3fe2fa88501120320329d6820637908a8eaf953b70495b56a6dfc1c80294b54f7e1f8533fbb909