Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 23:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe
Resource
win7-20240704-en
windows7-x64
20 signatures
120 seconds
Behavioral task
behavioral2
Sample
14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
22 signatures
120 seconds
General
-
Target
14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe
-
Size
2.0MB
-
MD5
87bf6dfde79bdaa07f9f9f4233691a20
-
SHA1
966d9c5ea07f2c6a4e339a0fd40cbf18bfab9d5d
-
SHA256
14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9
-
SHA512
d9430a4b4985e3bd2dae3bcdef0a8fa3731ed82a7061b867a8d3b94c814044edc2020a9d3c7e8e147fc45e8ca5aa4a3fe8c094517a2af2fe48a5354c76c55b23
-
SSDEEP
12288:XmgvmzFHi0mo5aH0qMzd5807Fl8xPJQPDHvd:XmgvOHi0mGaH0qSdPFWL4V
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" caglp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe -
Adds policy Run key to start application 2 TTPs 26 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqzhocjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\patlcargxrsuaopimx.exe" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uykvfwgoylf = "amgzrqiyqlnqxmoinze.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uykvfwgoylf = "gqizpmcqgzzafsskn.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uykvfwgoylf = "gqizpmcqgzzafsskn.exe" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqzhocjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gqizpmcqgzzafsskn.exe" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uykvfwgoylf = "zizpeapcrjiimyxo.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uykvfwgoylf = "cqmhbcwoifjoxosovjqea.exe" caglp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uykvfwgoylf = "amgzrqiyqlnqxmoinze.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqzhocjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\navpiibslhkowmpkqdjw.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqzhocjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gqizpmcqgzzafsskn.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uykvfwgoylf = "gqizpmcqgzzafsskn.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqzhocjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amgzrqiyqlnqxmoinze.exe" caglp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uykvfwgoylf = "navpiibslhkowmpkqdjw.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqzhocjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqmhbcwoifjoxosovjqea.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uykvfwgoylf = "zizpeapcrjiimyxo.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uykvfwgoylf = "navpiibslhkowmpkqdjw.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqzhocjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zizpeapcrjiimyxo.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqzhocjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gqizpmcqgzzafsskn.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqzhocjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\navpiibslhkowmpkqdjw.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uykvfwgoylf = "patlcargxrsuaopimx.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uykvfwgoylf = "zizpeapcrjiimyxo.exe" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqzhocjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amgzrqiyqlnqxmoinze.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pqzhocjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqmhbcwoifjoxosovjqea.exe" caglp.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" caglp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" caglp.exe -
Executes dropped EXE 2 IoCs
pid Process 2348 caglp.exe 2560 caglp.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend caglp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc caglp.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power caglp.exe -
Loads dropped DLL 4 IoCs
pid Process 2908 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe 2908 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe 2908 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe 2908 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gisbjygmu = "navpiibslhkowmpkqdjw.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zcnxgwfmvh = "navpiibslhkowmpkqdjw.exe ." caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rynboivgtjgegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gqizpmcqgzzafsskn.exe ." caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gisbjygmu = "zizpeapcrjiimyxo.exe" caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qwkxjcoykzvst = "amgzrqiyqlnqxmoinze.exe ." caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\gisbjygmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\patlcargxrsuaopimx.exe" caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zcnxgwfmvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqmhbcwoifjoxosovjqea.exe ." caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rynboivgtjgegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\patlcargxrsuaopimx.exe ." 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\rwjvgyjsdrmi = "gqizpmcqgzzafsskn.exe" caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zcnxgwfmvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amgzrqiyqlnqxmoinze.exe ." caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gisbjygmu = "cqmhbcwoifjoxosovjqea.exe" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\rwjvgyjsdrmi = "cqmhbcwoifjoxosovjqea.exe" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\rwjvgyjsdrmi = "amgzrqiyqlnqxmoinze.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucshvqeqevtsvge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amgzrqiyqlnqxmoinze.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rynboivgtjgegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gqizpmcqgzzafsskn.exe ." 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zcnxgwfmvh = "patlcargxrsuaopimx.exe ." caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gisbjygmu = "patlcargxrsuaopimx.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rynboivgtjgegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amgzrqiyqlnqxmoinze.exe ." caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rynboivgtjgegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqmhbcwoifjoxosovjqea.exe ." caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zcnxgwfmvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gqizpmcqgzzafsskn.exe ." 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\rwjvgyjsdrmi = "navpiibslhkowmpkqdjw.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rynboivgtjgegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\navpiibslhkowmpkqdjw.exe ." caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zcnxgwfmvh = "patlcargxrsuaopimx.exe ." 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zcnxgwfmvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zizpeapcrjiimyxo.exe ." caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\rwjvgyjsdrmi = "amgzrqiyqlnqxmoinze.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zcnxgwfmvh = "cqmhbcwoifjoxosovjqea.exe ." caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\gisbjygmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqmhbcwoifjoxosovjqea.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gisbjygmu = "gqizpmcqgzzafsskn.exe" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zcnxgwfmvh = "zizpeapcrjiimyxo.exe ." 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\gisbjygmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\navpiibslhkowmpkqdjw.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucshvqeqevtsvge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amgzrqiyqlnqxmoinze.exe" caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\rwjvgyjsdrmi = "zizpeapcrjiimyxo.exe" caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\rwjvgyjsdrmi = "patlcargxrsuaopimx.exe" caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\gisbjygmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zizpeapcrjiimyxo.exe" caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\rwjvgyjsdrmi = "patlcargxrsuaopimx.exe" caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qwkxjcoykzvst = "gqizpmcqgzzafsskn.exe ." caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qwkxjcoykzvst = "patlcargxrsuaopimx.exe ." caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\gisbjygmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gqizpmcqgzzafsskn.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucshvqeqevtsvge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\patlcargxrsuaopimx.exe" caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qwkxjcoykzvst = "amgzrqiyqlnqxmoinze.exe ." 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucshvqeqevtsvge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqmhbcwoifjoxosovjqea.exe" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gisbjygmu = "navpiibslhkowmpkqdjw.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucshvqeqevtsvge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gqizpmcqgzzafsskn.exe" caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\rwjvgyjsdrmi = "zizpeapcrjiimyxo.exe" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gisbjygmu = "amgzrqiyqlnqxmoinze.exe" caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\rwjvgyjsdrmi = "zizpeapcrjiimyxo.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rynboivgtjgegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\navpiibslhkowmpkqdjw.exe ." caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\gisbjygmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amgzrqiyqlnqxmoinze.exe" caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zcnxgwfmvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amgzrqiyqlnqxmoinze.exe ." caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qwkxjcoykzvst = "amgzrqiyqlnqxmoinze.exe ." caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zcnxgwfmvh = "amgzrqiyqlnqxmoinze.exe ." caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zcnxgwfmvh = "navpiibslhkowmpkqdjw.exe ." caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucshvqeqevtsvge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zizpeapcrjiimyxo.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gisbjygmu = "cqmhbcwoifjoxosovjqea.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rynboivgtjgegq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amgzrqiyqlnqxmoinze.exe ." caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gisbjygmu = "gqizpmcqgzzafsskn.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucshvqeqevtsvge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zizpeapcrjiimyxo.exe" caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zcnxgwfmvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gqizpmcqgzzafsskn.exe ." caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zcnxgwfmvh = "patlcargxrsuaopimx.exe ." caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\gisbjygmu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\patlcargxrsuaopimx.exe" caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zcnxgwfmvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\patlcargxrsuaopimx.exe ." caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucshvqeqevtsvge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqmhbcwoifjoxosovjqea.exe" caglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucshvqeqevtsvge = "C:\\Users\\Admin\\AppData\\Local\\Temp\\navpiibslhkowmpkqdjw.exe" caglp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zcnxgwfmvh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zizpeapcrjiimyxo.exe ." caglp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" caglp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" caglp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA caglp.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 www.whatismyip.ca 8 www.showmyipaddress.com 10 whatismyipaddress.com 3 whatismyip.everdot.org -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\mimpraccejvizykodzokortce.glx caglp.exe File opened for modification C:\Windows\SysWOW64\rynboivgtjgegqnccjjqftganylbywyifuub.ixl caglp.exe File created C:\Windows\SysWOW64\rynboivgtjgegqnccjjqftganylbywyifuub.ixl caglp.exe File opened for modification C:\Windows\SysWOW64\mimpraccejvizykodzokortce.glx caglp.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\mimpraccejvizykodzokortce.glx caglp.exe File created C:\Program Files (x86)\mimpraccejvizykodzokortce.glx caglp.exe File opened for modification C:\Program Files (x86)\rynboivgtjgegqnccjjqftganylbywyifuub.ixl caglp.exe File created C:\Program Files (x86)\rynboivgtjgegqnccjjqftganylbywyifuub.ixl caglp.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\mimpraccejvizykodzokortce.glx caglp.exe File created C:\Windows\mimpraccejvizykodzokortce.glx caglp.exe File opened for modification C:\Windows\rynboivgtjgegqnccjjqftganylbywyifuub.ixl caglp.exe File created C:\Windows\rynboivgtjgegqnccjjqftganylbywyifuub.ixl caglp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caglp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language caglp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe 2560 caglp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2560 caglp.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2908 wrote to memory of 2560 2908 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe 30 PID 2908 wrote to memory of 2560 2908 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe 30 PID 2908 wrote to memory of 2560 2908 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe 30 PID 2908 wrote to memory of 2560 2908 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe 30 PID 2908 wrote to memory of 2348 2908 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe 31 PID 2908 wrote to memory of 2348 2908 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe 31 PID 2908 wrote to memory of 2348 2908 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe 31 PID 2908 wrote to memory of 2348 2908 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe 31 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" caglp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" caglp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" caglp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" caglp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe"C:\Users\Admin\AppData\Local\Temp\14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\caglp.exe"C:\Users\Admin\AppData\Local\Temp\caglp.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2560
-
-
C:\Users\Admin\AppData\Local\Temp\caglp.exe"C:\Users\Admin\AppData\Local\Temp\caglp.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- System policy modification
PID:2348
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5b055cae89846baa9c50694013fe31000
SHA14497eed19869f838934ac2f7d89e68bd8bc1ea39
SHA256661c8c78229b2ddfc52397cb7689e08b46fba85612edd35509c5bd89f4803253
SHA5127786ed63fa7ece1244560993f03cb6cd7aea3f9b97cd64533c6180c573aa128ab604aa1319949332994e64c0a43d25d38529da64e83ec5c869cd36559cf6a19c
-
Filesize
280B
MD5947450f05c7b8a76e5e9b1b3d9946750
SHA1fd3e4a374a55c5eb502a7b1b8e4725b37337a44a
SHA256d5d641c54bafad302082f35e141e2ca57a03252d11aaf50f54cb66d222995414
SHA5121ffbee74691568e1e712246b86fdd9c3f9a7d9b9581c36044c7d8fec0c804821f9309e40114599e425971b3f2674d9a5de3d98743b702a034a116f010c525b1d
-
Filesize
280B
MD56afd2ecbc1581454dc63c6f45b86b5a4
SHA13c21b6b3538dc9992836861c9076c53f96ffa74c
SHA25659bf573d60e79ef73defa9681e8d74d184656cf7da669cc69888841ce582a83e
SHA5122dfe8c81bd0df6d1d839ac2e684d3323f70b17894ef0db552257ffeb2e1c1786675929d7a0c2698ed83cfae6f6905192f7115ea3c8f22a2f1a69f743a77dfdda
-
Filesize
280B
MD56b1bef20bdc487fd6c80a3b91770a4fb
SHA1cf861cf87ffe9126a0ba2865d9faa3cc0c0cf7be
SHA256a7858ace99eac33e5572f55557440e7ee9c19401099d0f2599bb99914ddbf975
SHA512ad16e76bc630f596dd19695b0c243b421e4108da4363bbd100e7272a0e8c38592af10e0027c10e3c5eb8370a54e2012975ac8ffdfa648187d7aebd105295979d
-
Filesize
280B
MD512e8f795f8ca039170c5fc2a0fc6fed7
SHA1a750adadbd46b2f5829da43cf14e8d85bc937811
SHA2568c462ede7cc748a43eb9f8168e634ead649c609e886e20d074e0c06104b62104
SHA512eed73bfe0d71852474be4edb826a2b8e3e90336e1b5032aee466bab0b0d2b6b6793dba4d47327e11ed1282d4ed0622249cdd3897d8e8e50cd7942678fdf3b71f
-
Filesize
280B
MD5396d251edac1919df525cc7d828aaa91
SHA19e9778317db36692aaf4427c29171773bb37a380
SHA256af45390adc67ed6c5d8042a88468c04e2fa06bbac5d47375d8922afb32c108ef
SHA51213524abbf0a3423b084606e6a5cc28a442fdec076105494eb3225d1fa08695fdaae3fdebf6ac2e6bcdc160591cab6e2493f1927b8027e063f246c1a080a33d0f
-
Filesize
2.9MB
MD5bc747f5f034e19e626a9de35a8bff923
SHA1c346feca52dc370416c49a80f7b7a7e5092880b9
SHA256c216494499c05b2079170ad41c9e1961a69e321cdda9c780b4dbc678484b7db1
SHA512cb455fc934abde1e888fa6e3e3516c12fbd84002f422b4c6241a8666fa012373ba3ffd3b4ac95fcffafb7583852e38a673d08da144ef53b4e8621ee5263cf7eb
-
Filesize
280B
MD54ffe264e68f289190ffe4fa3119e3238
SHA1baa0a988b398fd781fdce0639c12cd255cb0a293
SHA256b1014ff37c578a4339abde190f884b6033aed12038637af5671a3dc62f17fb2c
SHA51218ab8ed69db5dbf201dd2c40c97e59731083ee6ce92125f0717ea895b93b64280c9e86a480efeecb4cbf51d4ce44f7dd32c2f69bbf107792b517d220c26e4a4c
-
Filesize
4KB
MD540bae4edf3805695c258dcb64ae7a381
SHA16eb54392de838c1166737b9f9bc77636760b70b5
SHA25680b690f5f83c8e555a85511afb8b985a71aca168a4185135277fe87a7b1bc261
SHA5120df1fce54cfd0c9d3cee0fd8db509787b224fd489b125ce0624b302ffa9084254d867bdfd532913e2ac5d15b4b59e9bffb4a5dae2c96408e7f9d9b2380ee641a