Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 10:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe
Resource
win7-20240708-en
windows7-x64
20 signatures
120 seconds
Behavioral task
behavioral2
Sample
cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe
Resource
win10v2004-20240910-en
windows10-2004-x64
22 signatures
120 seconds
General
-
Target
cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe
-
Size
3.1MB
-
MD5
c3e7b349ab01f3c8d361aef18d7d99b0
-
SHA1
75d774e51fd6bd19bb5abb9c96ba54fbb88964c4
-
SHA256
cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512
-
SHA512
74d3c6b34d1edcd46ad98340c67313d03f9e351479df598fc7628ff9607e09af6c801d7387fd5f513c0dc12721a834991fcd6aeb7f0751764cc6dc9e2fd61a21
-
SSDEEP
12288:DCgvmzFHi0mo5aH0qMzd58g7FWPJQPDHvd:DCgvOHi0mGaH0qSdzFI4V
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ciqtxkl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ciqtxkl.exe -
Adds policy Run key to start application 2 TTPs 25 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pubdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyuldetqidjzzailvbsmi.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pubdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iyqdrozsgxzlheihn.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iqafladou = "eyuldetqidjzzailvbsmi.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pubdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuodtsfaqjnbzyefnrg.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pubdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pidtkkyulfkzyyfhqvle.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pubdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqhtgcmerhitoknl.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pubdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuodtsfaqjnbzyefnrg.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iqafladou = "cuodtsfaqjnbzyefnrg.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pubdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuodtsfaqjnbzyefnrg.exe" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pubdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ribpecoixpsfcaffmp.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pubdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ribpecoixpsfcaffmp.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iqafladou = "bqhtgcmerhitoknl.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iqafladou = "iyqdrozsgxzlheihn.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iqafladou = "cuodtsfaqjnbzyefnrg.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pubdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pidtkkyulfkzyyfhqvle.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iqafladou = "bqhtgcmerhitoknl.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iqafladou = "ribpecoixpsfcaffmp.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pubdgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyuldetqidjzzailvbsmi.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iqafladou = "iyqdrozsgxzlheihn.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iqafladou = "ribpecoixpsfcaffmp.exe" ciqtxkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iqafladou = "eyuldetqidjzzailvbsmi.exe" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ciqtxkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iqafladou = "eyuldetqidjzzailvbsmi.exe" ciqtxkl.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ciqtxkl.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ciqtxkl.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe -
Executes dropped EXE 2 IoCs
pid Process 3696 ciqtxkl.exe 4756 ciqtxkl.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys ciqtxkl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc ciqtxkl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power ciqtxkl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys ciqtxkl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc ciqtxkl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager ciqtxkl.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciqtxkl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iyqdrozsgxzlheihn.exe" ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wgszhydqyjf = "pidtkkyulfkzyyfhqvle.exe ." ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ciqtxkl = "eyuldetqidjzzailvbsmi.exe" ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wgszhydqyjf = "eyuldetqidjzzailvbsmi.exe ." ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ryhlqegq = "eyuldetqidjzzailvbsmi.exe ." cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\terziagudpmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iyqdrozsgxzlheihn.exe ." cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciqtxkl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuodtsfaqjnbzyefnrg.exe" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ryhlqegq = "eyuldetqidjzzailvbsmi.exe ." ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bkvbiycovf = "iyqdrozsgxzlheihn.exe" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wgszhydqyjf = "ribpecoixpsfcaffmp.exe ." ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wgszhydqyjf = "bqhtgcmerhitoknl.exe ." ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wgszhydqyjf = "bqhtgcmerhitoknl.exe ." ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wgszhydqyjf = "iyqdrozsgxzlheihn.exe ." ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ryhlqegq = "cuodtsfaqjnbzyefnrg.exe ." ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ciqtxkl = "bqhtgcmerhitoknl.exe" ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ryhlqegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuodtsfaqjnbzyefnrg.exe ." ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bkvbiycovf = "iyqdrozsgxzlheihn.exe" ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciqtxkl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pidtkkyulfkzyyfhqvle.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\terziagudpmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iyqdrozsgxzlheihn.exe ." ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bkvbiycovf = "ribpecoixpsfcaffmp.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\terziagudpmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ribpecoixpsfcaffmp.exe ." ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ryhlqegq = "iyqdrozsgxzlheihn.exe ." ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ciqtxkl = "cuodtsfaqjnbzyefnrg.exe" ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wgszhydqyjf = "ribpecoixpsfcaffmp.exe ." ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sesblelakxvdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pidtkkyulfkzyyfhqvle.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sesblelakxvdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuodtsfaqjnbzyefnrg.exe" ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciqtxkl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqhtgcmerhitoknl.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ciqtxkl = "ribpecoixpsfcaffmp.exe" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ryhlqegq = "pidtkkyulfkzyyfhqvle.exe ." ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bkvbiycovf = "bqhtgcmerhitoknl.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ciqtxkl = "iyqdrozsgxzlheihn.exe" ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bkvbiycovf = "pidtkkyulfkzyyfhqvle.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sesblelakxvdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqhtgcmerhitoknl.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sesblelakxvdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pidtkkyulfkzyyfhqvle.exe" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\terziagudpmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuodtsfaqjnbzyefnrg.exe ." ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciqtxkl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pidtkkyulfkzyyfhqvle.exe" ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wgszhydqyjf = "eyuldetqidjzzailvbsmi.exe ." ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ciqtxkl = "bqhtgcmerhitoknl.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\terziagudpmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pidtkkyulfkzyyfhqvle.exe ." ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sesblelakxvdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iyqdrozsgxzlheihn.exe" ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bkvbiycovf = "pidtkkyulfkzyyfhqvle.exe" ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wgszhydqyjf = "cuodtsfaqjnbzyefnrg.exe ." ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bkvbiycovf = "eyuldetqidjzzailvbsmi.exe" ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bkvbiycovf = "eyuldetqidjzzailvbsmi.exe" ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wgszhydqyjf = "iyqdrozsgxzlheihn.exe ." ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ryhlqegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyuldetqidjzzailvbsmi.exe ." cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sesblelakxvdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuodtsfaqjnbzyefnrg.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\terziagudpmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyuldetqidjzzailvbsmi.exe ." ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciqtxkl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuodtsfaqjnbzyefnrg.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\terziagudpmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqhtgcmerhitoknl.exe ." ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\terziagudpmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iyqdrozsgxzlheihn.exe ." ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciqtxkl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyuldetqidjzzailvbsmi.exe" ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ciqtxkl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyuldetqidjzzailvbsmi.exe" ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ryhlqegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eyuldetqidjzzailvbsmi.exe ." ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sesblelakxvdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iyqdrozsgxzlheihn.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ciqtxkl = "pidtkkyulfkzyyfhqvle.exe" ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ryhlqegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuodtsfaqjnbzyefnrg.exe ." ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ryhlqegq = "cuodtsfaqjnbzyefnrg.exe ." ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wgszhydqyjf = "cuodtsfaqjnbzyefnrg.exe ." cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ryhlqegq = "cuodtsfaqjnbzyefnrg.exe ." cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ciqtxkl = "iyqdrozsgxzlheihn.exe" ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\terziagudpmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqhtgcmerhitoknl.exe ." ciqtxkl.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ryhlqegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iyqdrozsgxzlheihn.exe ." ciqtxkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ciqtxkl = "eyuldetqidjzzailvbsmi.exe" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ciqtxkl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ciqtxkl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ciqtxkl.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ciqtxkl.exe -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 48 whatismyipaddress.com 24 www.whatismyip.ca 25 www.showmyipaddress.com 28 whatismyip.everdot.org 33 www.whatismyip.ca 34 whatismyip.everdot.org 46 www.whatismyip.ca 47 whatismyip.everdot.org -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\jknlksosrtgdkshrivtuxvuc.cbd ciqtxkl.exe File created C:\Windows\SysWOW64\jknlksosrtgdkshrivtuxvuc.cbd ciqtxkl.exe File opened for modification C:\Windows\SysWOW64\sesblelakxvdvoojljsesblelakxvdvoojl.ses ciqtxkl.exe File created C:\Windows\SysWOW64\sesblelakxvdvoojljsesblelakxvdvoojl.ses ciqtxkl.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\jknlksosrtgdkshrivtuxvuc.cbd ciqtxkl.exe File created C:\Program Files (x86)\jknlksosrtgdkshrivtuxvuc.cbd ciqtxkl.exe File opened for modification C:\Program Files (x86)\sesblelakxvdvoojljsesblelakxvdvoojl.ses ciqtxkl.exe File created C:\Program Files (x86)\sesblelakxvdvoojljsesblelakxvdvoojl.ses ciqtxkl.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\jknlksosrtgdkshrivtuxvuc.cbd ciqtxkl.exe File created C:\Windows\jknlksosrtgdkshrivtuxvuc.cbd ciqtxkl.exe File opened for modification C:\Windows\sesblelakxvdvoojljsesblelakxvdvoojl.ses ciqtxkl.exe File created C:\Windows\sesblelakxvdvoojljsesblelakxvdvoojl.ses ciqtxkl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ciqtxkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ciqtxkl.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings ciqtxkl.exe Key created \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings ciqtxkl.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3696 ciqtxkl.exe 3696 ciqtxkl.exe 3696 ciqtxkl.exe 3696 ciqtxkl.exe 3696 ciqtxkl.exe 3696 ciqtxkl.exe 3696 ciqtxkl.exe 3696 ciqtxkl.exe 3696 ciqtxkl.exe 3696 ciqtxkl.exe 3696 ciqtxkl.exe 3696 ciqtxkl.exe 3696 ciqtxkl.exe 3696 ciqtxkl.exe 3696 ciqtxkl.exe 3696 ciqtxkl.exe 3696 ciqtxkl.exe 3696 ciqtxkl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4756 ciqtxkl.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3696 ciqtxkl.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4764 wrote to memory of 3696 4764 cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe 87 PID 4764 wrote to memory of 3696 4764 cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe 87 PID 4764 wrote to memory of 3696 4764 cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe 87 PID 4764 wrote to memory of 4756 4764 cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe 88 PID 4764 wrote to memory of 4756 4764 cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe 88 PID 4764 wrote to memory of 4756 4764 cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe 88 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ciqtxkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ciqtxkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ciqtxkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ciqtxkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ciqtxkl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ciqtxkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ciqtxkl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe"C:\Users\Admin\AppData\Local\Temp\cbb80c1655c3d48393b462b06f9dc949ba014517432968aa8972beffc715c512N.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4764 -
C:\Users\Admin\AppData\Local\Temp\ciqtxkl.exe"C:\Users\Admin\AppData\Local\Temp\ciqtxkl.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3696
-
-
C:\Users\Admin\AppData\Local\Temp\ciqtxkl.exe"C:\Users\Admin\AppData\Local\Temp\ciqtxkl.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:4756
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2880
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5450787c53cf46966257d226c42ea3f55
SHA12b2ab03b9764da6764acc2c38341d863577404d9
SHA256c77ae7f7af1e6b2ace77ff03dea76e66d2dcab14e609694e55d7af5e93b348f4
SHA5127d71f0a17712e2cf625913d5b5d497a9b3b1532e4df04a998ef170dd4968331a31f8423a9eabfb6e157235c60c69c0adcb6bed95f2bd42499237a50d456ff2ac
-
Filesize
280B
MD552f9d72ab2440758db081d5d7eb82c17
SHA15a557dcb09fe587b6ec4bd8b36e656d6ae0094a3
SHA256c0ddac4b64f9da3378c452544ad57f4c6b17484d8b850d6c3bf6cab0eccde629
SHA5126a71ac914b69215c889182fd155fea1793bef2a2c9781600ae570e9d6c8fd372c017bba84fe76a44f2becb1a80b36fc92210bbdb2faa56e4acb98f91991d9017
-
Filesize
280B
MD53cb8f25f4da9da372423f9128067b922
SHA1fdf30780dfa61233b87981b373ba0c73735d8a49
SHA2560baf4652b2fb353a711321dbaa9e8144ca1de25c895dd0d5bbbfbb4fe64351f2
SHA5126e5490a8e4b6c9d1040953484b800a3d5a9b2da1ead6e696f97e694cb9c0b5899ca1417740c576b205f1772d0655feb83cfa59cbe402d976883b91f46994bcfe
-
Filesize
280B
MD5bd3ab7e8a4e3a02cb7f2e12263e68d02
SHA1a3499c2d56aeecc2d739ce2cbe11cdaa9bc7d081
SHA25699232601ef361804cbd5654dfbebe9ec4000176d1f6514b98bd9e182d00752e4
SHA512dfc5673333bfe75f27d6111f32b4eb0ce9a050c91e1450c1339abe591d736ef136101bb2fb6fecc10c25ef059f0d95871b1e5d71914f1926a3a0294ace0b58f4
-
Filesize
280B
MD53312132d871b6cf3169b2adc23078379
SHA1f2fb8766e6ff83f1fa28bc0b663ba7bd18c39548
SHA256b6ef2e0f3cd5a18da2e20385e8e074ec0354355470cf31761241bb966e634b3c
SHA51237ec505a28ed2efa160fcfb1bf6b96707ce015dfa12d7b7980ef8109ba4d002da619fe7d73237e5bc166de41511cd779900d1acfe11474db234a846e8021fe1f
-
Filesize
280B
MD5783e2ce3a3496e2c31b7662bf5aadec4
SHA1573acd7bd29e7d2b4937fcbcabbafb236c656b36
SHA25652209f64b606e851e08c0169b7c91a46975165d4f7af789b60da0fffc45f58b5
SHA512558424d71d6137a264bcfff42986bc74b2ba104091c4a554877a5e325a610ad4926a2de7c8669020c41b15d819b8e91ee8c0c1450a710c7a4d12672fbd26efea
-
Filesize
4.3MB
MD5432ee835a825ef19ed8b9a869acc5340
SHA122549c4211842524e5ba61ab38e657ba78d1d048
SHA2566f41a55aea6439053091597f04f3c4ff4b2cf20df7a079f6ecfbd73d7a7c1400
SHA5125db076051034fe0a9d70b11b74294759e17b43292e9e58e265666aa5e95effbd735d84cb6069a5f7dc2890ef61c1c3b6d3ab0024f35016245ad88905e41eceeb
-
Filesize
280B
MD5ef5bece1c90a5ee8e708239275f42964
SHA1454ef671ab0692ad411189ecf5e46d6d9778e74b
SHA2565109fe67be4ada499932c7a9ae3373510b555f3baba0ea13ab68b2306ff0aa04
SHA512a6c36c1eb008c9b61f8404887303e261fe0ee4807e016c4a4df1797f8ae3dbae15b41398a57a20837b306ee53d4bfe6f5f8f7f66defe377ac9e2315305f9b69f
-
Filesize
4KB
MD5fac71649c3ac0652e63c6d932c0a1ef4
SHA14ce033670bfc61b052519be2345cbe6dafa330f9
SHA256cbe781b22d27ee0a28b5fe25b394dd46cbc9ec2debd7908dbca0920983aa0bcd
SHA512f51f38591850ab735a6a99d1fbbf67988ae342b9883c6a9324bb605a058a7ad2b3e52808cb4a6babcabe9a8eaa230d3f828e05d7869c7e3335825908eaedda64