Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 06:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe
Resource
win7-20240705-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe
-
Size
1016KB
-
MD5
2f830b05ac3049212244cb900df7fdcd
-
SHA1
986d0f8e3272beb41444d2f957102f446af5ef77
-
SHA256
eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa
-
SHA512
539ee65084b89794849ebb881928bcbd44c67baf6407209acc3a520921398ece0c0fdef8704caa9bfafbb032a60aab378d0d55f0329891c1fa857fc83db20930
-
SSDEEP
6144:bIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUW:bIXsgtvm1De5YlOx6lzBH46U
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" jgqnkehutqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" jgqnkehutqa.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jgqnkehutqa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jgqnkehutqa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jgqnkehutqa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jgqnkehutqa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jgqnkehutqa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" aiopwcr.exe -
Adds policy Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qeqxkwrdmsrdc = "nibpjcexnagzfloawpkd.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qeqxkwrdmsrdc = "gyozqgfvisvlorrat.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zktxhqirxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pizlduulzkofjnoysj.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zktxhqirxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyshcwztkyfzgnrebvrla.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qeqxkwrdmsrdc = "pizlduulzkofjnoysj.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zktxhqirxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nibpjcexnagzfloawpkd.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zktxhqirxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pizlduulzkofjnoysj.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zktxhqirxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pizlduulzkofjnoysj.exe" jgqnkehutqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qeqxkwrdmsrdc = "nibpjcexnagzfloawpkd.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qeqxkwrdmsrdc = "nibpjcexnagzfloawpkd.exe" jgqnkehutqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run jgqnkehutqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qeqxkwrdmsrdc = "aumzskldsejbglnytlf.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zktxhqirxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gyozqgfvisvlorrat.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qeqxkwrdmsrdc = "zqfpfushtcetvxwe.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zktxhqirxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gyozqgfvisvlorrat.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zktxhqirxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfpfushtcetvxwe.exe" jgqnkehutqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zktxhqirxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aumzskldsejbglnytlf.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qeqxkwrdmsrdc = "nibpjcexnagzfloawpkd.exe" jgqnkehutqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zktxhqirxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyshcwztkyfzgnrebvrla.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qeqxkwrdmsrdc = "pizlduulzkofjnoysj.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zktxhqirxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfpfushtcetvxwe.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qeqxkwrdmsrdc = "cyshcwztkyfzgnrebvrla.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qeqxkwrdmsrdc = "zqfpfushtcetvxwe.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zktxhqirxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aumzskldsejbglnytlf.exe" aiopwcr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run jgqnkehutqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run aiopwcr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zktxhqirxa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfpfushtcetvxwe.exe" aiopwcr.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jgqnkehutqa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jgqnkehutqa.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aiopwcr.exe Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aiopwcr.exe -
Executes dropped EXE 4 IoCs
pid Process 1676 jgqnkehutqa.exe 2672 aiopwcr.exe 2808 aiopwcr.exe 2756 jgqnkehutqa.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend aiopwcr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc aiopwcr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power aiopwcr.exe -
Loads dropped DLL 8 IoCs
pid Process 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1676 jgqnkehutqa.exe 1676 jgqnkehutqa.exe 1676 jgqnkehutqa.exe 1676 jgqnkehutqa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ugqvgqjtaeb = "cyshcwztkyfzgnrebvrla.exe" aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\rgtbpcylvccppp = "zqfpfushtcetvxwe.exe" jgqnkehutqa.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\rgtbpcylvccppp = "cyshcwztkyfzgnrebvrla.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ugqvgqjtaeb = "aumzskldsejbglnytlf.exe" aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\ugqvgqjtaeb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyshcwztkyfzgnrebvrla.exe" aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ukyhwkhvgopdefd = "aumzskldsejbglnytlf.exe ." aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\repvhsmxfkit = "zqfpfushtcetvxwe.exe ." aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ugqvgqjtaeb = "nibpjcexnagzfloawpkd.exe" aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\ugqvgqjtaeb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gyozqgfvisvlorrat.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\repvhsmxfkit = "aumzskldsejbglnytlf.exe ." aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gyozqgfvisvlorrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyshcwztkyfzgnrebvrla.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqfpfushtcetvxwe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aumzskldsejbglnytlf.exe ." aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gyozqgfvisvlorrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfpfushtcetvxwe.exe" aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\repvhsmxfkit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyshcwztkyfzgnrebvrla.exe ." aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\repvhsmxfkit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gyozqgfvisvlorrat.exe ." aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\rgtbpcylvccppp = "aumzskldsejbglnytlf.exe" aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\repvhsmxfkit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gyozqgfvisvlorrat.exe ." jgqnkehutqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqfpfushtcetvxwe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gyozqgfvisvlorrat.exe ." jgqnkehutqa.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\ugqvgqjtaeb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfpfushtcetvxwe.exe" aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\rgtbpcylvccppp = "nibpjcexnagzfloawpkd.exe" aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ukyhwkhvgopdefd = "zqfpfushtcetvxwe.exe ." aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\ugqvgqjtaeb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nibpjcexnagzfloawpkd.exe" aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ukyhwkhvgopdefd = "cyshcwztkyfzgnrebvrla.exe ." aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\rgtbpcylvccppp = "pizlduulzkofjnoysj.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\repvhsmxfkit = "gyozqgfvisvlorrat.exe ." jgqnkehutqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqfpfushtcetvxwe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfpfushtcetvxwe.exe ." aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ukyhwkhvgopdefd = "gyozqgfvisvlorrat.exe ." aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqfpfushtcetvxwe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyshcwztkyfzgnrebvrla.exe ." aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqfpfushtcetvxwe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gyozqgfvisvlorrat.exe ." aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\ugqvgqjtaeb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aumzskldsejbglnytlf.exe" aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\rgtbpcylvccppp = "pizlduulzkofjnoysj.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gyozqgfvisvlorrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nibpjcexnagzfloawpkd.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\repvhsmxfkit = "aumzskldsejbglnytlf.exe ." aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\rgtbpcylvccppp = "zqfpfushtcetvxwe.exe" aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\repvhsmxfkit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfpfushtcetvxwe.exe ." jgqnkehutqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ugqvgqjtaeb = "gyozqgfvisvlorrat.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqfpfushtcetvxwe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfpfushtcetvxwe.exe ." aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ugqvgqjtaeb = "gyozqgfvisvlorrat.exe" jgqnkehutqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\repvhsmxfkit = "gyozqgfvisvlorrat.exe ." aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ukyhwkhvgopdefd = "nibpjcexnagzfloawpkd.exe ." aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\repvhsmxfkit = "zqfpfushtcetvxwe.exe ." aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\rgtbpcylvccppp = "gyozqgfvisvlorrat.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqfpfushtcetvxwe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyshcwztkyfzgnrebvrla.exe ." aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gyozqgfvisvlorrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyshcwztkyfzgnrebvrla.exe" jgqnkehutqa.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\ugqvgqjtaeb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nibpjcexnagzfloawpkd.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqfpfushtcetvxwe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nibpjcexnagzfloawpkd.exe ." aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ukyhwkhvgopdefd = "gyozqgfvisvlorrat.exe ." aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ukyhwkhvgopdefd = "nibpjcexnagzfloawpkd.exe ." aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\repvhsmxfkit = "gyozqgfvisvlorrat.exe ." aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gyozqgfvisvlorrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pizlduulzkofjnoysj.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ugqvgqjtaeb = "pizlduulzkofjnoysj.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gyozqgfvisvlorrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pizlduulzkofjnoysj.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqfpfushtcetvxwe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aumzskldsejbglnytlf.exe ." aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\ugqvgqjtaeb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cyshcwztkyfzgnrebvrla.exe" jgqnkehutqa.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\repvhsmxfkit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfpfushtcetvxwe.exe ." aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\ugqvgqjtaeb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfpfushtcetvxwe.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gyozqgfvisvlorrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aumzskldsejbglnytlf.exe" aiopwcr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ukyhwkhvgopdefd = "aumzskldsejbglnytlf.exe ." aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqfpfushtcetvxwe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gyozqgfvisvlorrat.exe ." aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ugqvgqjtaeb = "nibpjcexnagzfloawpkd.exe" jgqnkehutqa.exe Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\repvhsmxfkit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfpfushtcetvxwe.exe ." aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ugqvgqjtaeb = "pizlduulzkofjnoysj.exe" aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqfpfushtcetvxwe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pizlduulzkofjnoysj.exe ." aiopwcr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zqfpfushtcetvxwe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nibpjcexnagzfloawpkd.exe ." aiopwcr.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" aiopwcr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jgqnkehutqa.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jgqnkehutqa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jgqnkehutqa.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jgqnkehutqa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" aiopwcr.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" jgqnkehutqa.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 whatismyip.everdot.org 6 www.showmyipaddress.com 9 www.whatismyip.ca 10 whatismyipaddress.com -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf aiopwcr.exe File created C:\autorun.inf aiopwcr.exe File opened for modification F:\autorun.inf aiopwcr.exe File created F:\autorun.inf aiopwcr.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\nibpjcexnagzfloawpkd.exe aiopwcr.exe File opened for modification C:\Windows\SysWOW64\nibpjcexnagzfloawpkd.exe aiopwcr.exe File opened for modification C:\Windows\SysWOW64\cyshcwztkyfzgnrebvrla.exe aiopwcr.exe File created C:\Windows\SysWOW64\dedxxwedzsedpbkcededxx.edz aiopwcr.exe File opened for modification C:\Windows\SysWOW64\pizlduulzkofjnoysj.exe jgqnkehutqa.exe File opened for modification C:\Windows\SysWOW64\gyozqgfvisvlorrat.exe jgqnkehutqa.exe File opened for modification C:\Windows\SysWOW64\gyozqgfvisvlorrat.exe aiopwcr.exe File opened for modification C:\Windows\SysWOW64\tqlbxswrjygbjrwkidavlh.exe aiopwcr.exe File opened for modification C:\Windows\SysWOW64\ugqvgqjtaeblifzcpzlvalvoyfjgqnkeh.eqa aiopwcr.exe File opened for modification C:\Windows\SysWOW64\nibpjcexnagzfloawpkd.exe jgqnkehutqa.exe File opened for modification C:\Windows\SysWOW64\dedxxwedzsedpbkcededxx.edz aiopwcr.exe File opened for modification C:\Windows\SysWOW64\zqfpfushtcetvxwe.exe jgqnkehutqa.exe File opened for modification C:\Windows\SysWOW64\zqfpfushtcetvxwe.exe aiopwcr.exe File opened for modification C:\Windows\SysWOW64\gyozqgfvisvlorrat.exe aiopwcr.exe File opened for modification C:\Windows\SysWOW64\nibpjcexnagzfloawpkd.exe jgqnkehutqa.exe File opened for modification C:\Windows\SysWOW64\tqlbxswrjygbjrwkidavlh.exe jgqnkehutqa.exe File opened for modification C:\Windows\SysWOW64\pizlduulzkofjnoysj.exe jgqnkehutqa.exe File opened for modification C:\Windows\SysWOW64\aumzskldsejbglnytlf.exe jgqnkehutqa.exe File opened for modification C:\Windows\SysWOW64\aumzskldsejbglnytlf.exe aiopwcr.exe File opened for modification C:\Windows\SysWOW64\cyshcwztkyfzgnrebvrla.exe aiopwcr.exe File opened for modification C:\Windows\SysWOW64\tqlbxswrjygbjrwkidavlh.exe jgqnkehutqa.exe File opened for modification C:\Windows\SysWOW64\tqlbxswrjygbjrwkidavlh.exe aiopwcr.exe File opened for modification C:\Windows\SysWOW64\gyozqgfvisvlorrat.exe jgqnkehutqa.exe File opened for modification C:\Windows\SysWOW64\aumzskldsejbglnytlf.exe jgqnkehutqa.exe File opened for modification C:\Windows\SysWOW64\pizlduulzkofjnoysj.exe aiopwcr.exe File opened for modification C:\Windows\SysWOW64\pizlduulzkofjnoysj.exe aiopwcr.exe File created C:\Windows\SysWOW64\ugqvgqjtaeblifzcpzlvalvoyfjgqnkeh.eqa aiopwcr.exe File opened for modification C:\Windows\SysWOW64\zqfpfushtcetvxwe.exe jgqnkehutqa.exe File opened for modification C:\Windows\SysWOW64\cyshcwztkyfzgnrebvrla.exe jgqnkehutqa.exe File opened for modification C:\Windows\SysWOW64\zqfpfushtcetvxwe.exe aiopwcr.exe File opened for modification C:\Windows\SysWOW64\aumzskldsejbglnytlf.exe aiopwcr.exe File opened for modification C:\Windows\SysWOW64\cyshcwztkyfzgnrebvrla.exe jgqnkehutqa.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\dedxxwedzsedpbkcededxx.edz aiopwcr.exe File created C:\Program Files (x86)\dedxxwedzsedpbkcededxx.edz aiopwcr.exe File opened for modification C:\Program Files (x86)\ugqvgqjtaeblifzcpzlvalvoyfjgqnkeh.eqa aiopwcr.exe File created C:\Program Files (x86)\ugqvgqjtaeblifzcpzlvalvoyfjgqnkeh.eqa aiopwcr.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\cyshcwztkyfzgnrebvrla.exe aiopwcr.exe File opened for modification C:\Windows\pizlduulzkofjnoysj.exe jgqnkehutqa.exe File opened for modification C:\Windows\nibpjcexnagzfloawpkd.exe jgqnkehutqa.exe File opened for modification C:\Windows\gyozqgfvisvlorrat.exe aiopwcr.exe File opened for modification C:\Windows\gyozqgfvisvlorrat.exe jgqnkehutqa.exe File opened for modification C:\Windows\cyshcwztkyfzgnrebvrla.exe jgqnkehutqa.exe File created C:\Windows\dedxxwedzsedpbkcededxx.edz aiopwcr.exe File opened for modification C:\Windows\zqfpfushtcetvxwe.exe jgqnkehutqa.exe File opened for modification C:\Windows\zqfpfushtcetvxwe.exe jgqnkehutqa.exe File opened for modification C:\Windows\zqfpfushtcetvxwe.exe aiopwcr.exe File opened for modification C:\Windows\nibpjcexnagzfloawpkd.exe jgqnkehutqa.exe File opened for modification C:\Windows\aumzskldsejbglnytlf.exe jgqnkehutqa.exe File opened for modification C:\Windows\tqlbxswrjygbjrwkidavlh.exe aiopwcr.exe File opened for modification C:\Windows\tqlbxswrjygbjrwkidavlh.exe aiopwcr.exe File created C:\Windows\ugqvgqjtaeblifzcpzlvalvoyfjgqnkeh.eqa aiopwcr.exe File opened for modification C:\Windows\nibpjcexnagzfloawpkd.exe aiopwcr.exe File opened for modification C:\Windows\cyshcwztkyfzgnrebvrla.exe aiopwcr.exe File opened for modification C:\Windows\aumzskldsejbglnytlf.exe aiopwcr.exe File opened for modification C:\Windows\ugqvgqjtaeblifzcpzlvalvoyfjgqnkeh.eqa aiopwcr.exe File opened for modification C:\Windows\aumzskldsejbglnytlf.exe jgqnkehutqa.exe File opened for modification C:\Windows\tqlbxswrjygbjrwkidavlh.exe jgqnkehutqa.exe File opened for modification C:\Windows\pizlduulzkofjnoysj.exe aiopwcr.exe File opened for modification C:\Windows\aumzskldsejbglnytlf.exe aiopwcr.exe File opened for modification C:\Windows\tqlbxswrjygbjrwkidavlh.exe jgqnkehutqa.exe File opened for modification C:\Windows\gyozqgfvisvlorrat.exe aiopwcr.exe File opened for modification C:\Windows\zqfpfushtcetvxwe.exe aiopwcr.exe File opened for modification C:\Windows\nibpjcexnagzfloawpkd.exe aiopwcr.exe File opened for modification C:\Windows\dedxxwedzsedpbkcededxx.edz aiopwcr.exe File opened for modification C:\Windows\gyozqgfvisvlorrat.exe jgqnkehutqa.exe File opened for modification C:\Windows\pizlduulzkofjnoysj.exe jgqnkehutqa.exe File opened for modification C:\Windows\cyshcwztkyfzgnrebvrla.exe jgqnkehutqa.exe File opened for modification C:\Windows\pizlduulzkofjnoysj.exe aiopwcr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jgqnkehutqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aiopwcr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 2672 aiopwcr.exe 2672 aiopwcr.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 2672 aiopwcr.exe 2672 aiopwcr.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 2672 aiopwcr.exe 2672 aiopwcr.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 2672 aiopwcr.exe 2672 aiopwcr.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 2672 aiopwcr.exe 2672 aiopwcr.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 2672 aiopwcr.exe 2672 aiopwcr.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 2672 aiopwcr.exe 2672 aiopwcr.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 2672 aiopwcr.exe 2672 aiopwcr.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 2672 aiopwcr.exe 2672 aiopwcr.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 2672 aiopwcr.exe 2672 aiopwcr.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 2672 aiopwcr.exe 2672 aiopwcr.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 2672 aiopwcr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2672 aiopwcr.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1688 wrote to memory of 1676 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 30 PID 1688 wrote to memory of 1676 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 30 PID 1688 wrote to memory of 1676 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 30 PID 1688 wrote to memory of 1676 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 30 PID 1676 wrote to memory of 2672 1676 jgqnkehutqa.exe 31 PID 1676 wrote to memory of 2672 1676 jgqnkehutqa.exe 31 PID 1676 wrote to memory of 2672 1676 jgqnkehutqa.exe 31 PID 1676 wrote to memory of 2672 1676 jgqnkehutqa.exe 31 PID 1676 wrote to memory of 2808 1676 jgqnkehutqa.exe 32 PID 1676 wrote to memory of 2808 1676 jgqnkehutqa.exe 32 PID 1676 wrote to memory of 2808 1676 jgqnkehutqa.exe 32 PID 1676 wrote to memory of 2808 1676 jgqnkehutqa.exe 32 PID 1688 wrote to memory of 2756 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 34 PID 1688 wrote to memory of 2756 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 34 PID 1688 wrote to memory of 2756 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 34 PID 1688 wrote to memory of 2756 1688 eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe 34 -
System policy modification 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" jgqnkehutqa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" aiopwcr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer jgqnkehutqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jgqnkehutqa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jgqnkehutqa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jgqnkehutqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System aiopwcr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" aiopwcr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" jgqnkehutqa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" jgqnkehutqa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jgqnkehutqa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" jgqnkehutqa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jgqnkehutqa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jgqnkehutqa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" aiopwcr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System jgqnkehutqa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" jgqnkehutqa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" aiopwcr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System jgqnkehutqa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" aiopwcr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" aiopwcr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe"C:\Users\Admin\AppData\Local\Temp\eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\jgqnkehutqa.exe"C:\Users\Admin\AppData\Local\Temp\jgqnkehutqa.exe" "c:\users\admin\appdata\local\temp\eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\aiopwcr.exe"C:\Users\Admin\AppData\Local\Temp\aiopwcr.exe" "-C:\Users\Admin\AppData\Local\Temp\zqfpfushtcetvxwe.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2672
-
-
C:\Users\Admin\AppData\Local\Temp\aiopwcr.exe"C:\Users\Admin\AppData\Local\Temp\aiopwcr.exe" "-C:\Users\Admin\AppData\Local\Temp\zqfpfushtcetvxwe.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2808
-
-
-
C:\Users\Admin\AppData\Local\Temp\jgqnkehutqa.exe"C:\Users\Admin\AppData\Local\Temp\jgqnkehutqa.exe" "c:\users\admin\appdata\local\temp\eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2756
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD53ba50fe6fbb66bf71fe592ee9b52be86
SHA19c4adfea671125d0d408875d1f5bb99076978906
SHA256ee14058a438ee0a6ee3fdae6512c686d1041303b4bada14e1e9289e08bed50d1
SHA5125b1e89c86f95f6efefa1e530c28d6122ce35ae4619eb528315a629771a53e5ce54e5d97285758af9c930199e78d28bd631398dc6b9b99ccc529c0cf31ba5da32
-
Filesize
280B
MD5860c851bac147a6e371660bb4157addd
SHA1da33600f1d1347425535a024c3f0af5531dfc001
SHA256f3eaeb0ffc298f7821f85f48e1a8df638ba5b9d008325feb420985525d941eb5
SHA5121582814f7afad6d4c31da63ae98c47f22e1801ab660b0c8b1bbe5d1adaca62e64cd527586aba627810f30b4dac05fe8f617a2cd5e8ffecab526c8c83aad170e6
-
Filesize
280B
MD5f71da4122bf0a7c7233fd56f679eba5d
SHA16d9cc7836268ed6b73bf76751604bfcd660eb5a1
SHA256d6e45896ee086ae50ef7491e53fef211e0fe7040f112fc86e14a96082e42d61c
SHA512b7a905cb2733893909eed6d9464e93057ba6016371202952315edd291d856dacf7761799e29b8dd90b3bc77e18571fc3fb07ccf898569858141d57fc765f3651
-
Filesize
280B
MD591e510f080ccbeeba51eedca1567a94c
SHA16dc8910fd8aef37b1c245b88ab975f8ed01ac266
SHA256f9cfd2a62b4915114950b7a39a10929a5cd68b273eb355cfe129510f5954e7ef
SHA512f17c463066951268e3a8bc045c9515a285b95716214bf37864a9ef57bb536e41032c82a4b5b257986b38322481e6cae2bce891eea122b851f8ded75f3ff0866b
-
Filesize
280B
MD572b0f2c99e828129c745c7b345442366
SHA1532f9a1bbcf5533e25208c29830a001075660cea
SHA256f3da6106d2e73d9e21a2035ec1d5a7144ac0ffff42ef06de963b595d13820d28
SHA5123c82fe372dc016542bca59d7bef312d0bcdba1b76cbabe3173dd4fc16bd6d60a921b929ec60c66f2cc1c4cb79347c2a9fdb57e0af66e880a02b722b8fb89b965
-
Filesize
280B
MD5f6b614149526d83dcdecced4f28159c0
SHA1259ba117d377343e37ef33f73ed94e32a561c02a
SHA2568c8e78e1dfdae840d18da1cd8e373fc70c4a0fe16f79ad03d0aa673c0a532587
SHA512d7f4ba3f632a1b5b1f2e40991e76a241629f8cd019d8acb8fe347a3f6a1a32aaaac8eb2490a7e430a747bf63046e256a5e205607c60e0ff4fb79107953dd595e
-
Filesize
320KB
MD53b00d01eaaa60d0377984fe51111281d
SHA1e2e6de396f579bc3b0740b53d74786e6c86d7cf3
SHA2567260adf20e869d8826012ce750200aa312cbf6ef222f728fb6acc55e797884dc
SHA5126a2b5a6beb7e3e14cd93a4829eeb7e71a5e68a15c83a811de65345ef844de84ce3a5f1761f012346705694203e96c78418d9e74f483880c0ba537048009acbc4
-
Filesize
280B
MD5904fb9ca92cf8a4827bfbc0c5bca6541
SHA1f74cf8d9c73d197c7920a46da23bcba8575ec587
SHA256025cb21605ced42d023da170c00c6cfda6f5b62820554bc6a780f7f1eca270a9
SHA512c4894f5ee0b629dbe8566226b3f41d1cafd662ec572fbc2e07f37c932439f0cff4a0ce580e18caad5cb47b8519a490bc43b8b610a22f1994d872806ba9f57285
-
Filesize
4KB
MD54ebd2ac50ed474f2d856c7015dc9fbd7
SHA10cb785014913b8972494d65ad9c68f0c3ed1e319
SHA2565f47f0a06a8fd058217b87a235f7be0a79b618f3650d82bf43329529d86397ad
SHA512f2533d69310bfd6ec22954780bf68998780940b7ba49636df4d2463cd8dc6bff8f3b10cfa66c5da9dc98d753f7325663d4a88b699f11c035393868efac9625c2
-
Filesize
1016KB
MD52f830b05ac3049212244cb900df7fdcd
SHA1986d0f8e3272beb41444d2f957102f446af5ef77
SHA256eb2c5482928fc976c80984356be05089d9c9f1af30cbe7558e1f7f775852fbfa
SHA512539ee65084b89794849ebb881928bcbd44c67baf6407209acc3a520921398ece0c0fdef8704caa9bfafbb032a60aab378d0d55f0329891c1fa857fc83db20930
-
Filesize
688KB
MD55c09e9de11b7023fc9c8c11a7c9b97a9
SHA16ea687740d012f53e699a7d66c279195cd95808b
SHA256f0c3939fe45034512cab94363b892d0f7ccb032001885443a9eb04fdaae0142d
SHA5122815360ded3327652dda3401cfed4e723478bc818f558983065f437504386ae40dc037a0e596a807535a3d0c3de91271c1348957f5cb915c11e83d609d48977b