Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/09/2024, 23:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe
Resource
win7-20240704-en
windows7-x64
20 signatures
120 seconds
Behavioral task
behavioral2
Sample
14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
22 signatures
120 seconds
General
-
Target
14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe
-
Size
2.0MB
-
MD5
87bf6dfde79bdaa07f9f9f4233691a20
-
SHA1
966d9c5ea07f2c6a4e339a0fd40cbf18bfab9d5d
-
SHA256
14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9
-
SHA512
d9430a4b4985e3bd2dae3bcdef0a8fa3731ed82a7061b867a8d3b94c814044edc2020a9d3c7e8e147fc45e8ca5aa4a3fe8c094517a2af2fe48a5354c76c55b23
-
SSDEEP
12288:XmgvmzFHi0mo5aH0qMzd5807Fl8xPJQPDHvd:XmgvOHi0mGaH0qSdPFWL4V
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" dafpt.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dafpt.exe -
Adds policy Run key to start application 2 TTPs 25 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swizkweqiniu = "hqhdtkxolvvmbugiw.exe" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hirfnwbkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaspgymecnogwqdgvk.exe" dafpt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hirfnwbkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmfdvodwvhjctocgwmx.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hirfnwbkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmfdvodwvhjctocgwmx.exe" dafpt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hirfnwbkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiytiykawfeuialm.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swizkweqiniu = "aiytiykawfeuialm.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hirfnwbkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqhdtkxolvvmbugiw.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hirfnwbkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqhdtkxolvvmbugiw.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hirfnwbkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmfdvodwvhjctocgwmx.exe" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swizkweqiniu = "bmfdvodwvhjctocgwmx.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swizkweqiniu = "qaspgymecnogwqdgvk.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swizkweqiniu = "dqllfarmnbfatqgmewjee.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hirfnwbkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqllfarmnbfatqgmewjee.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swizkweqiniu = "bmfdvodwvhjctocgwmx.exe" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swizkweqiniu = "hqhdtkxolvvmbugiw.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hirfnwbkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaspgymecnogwqdgvk.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hirfnwbkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oautmgwqqdgasodizqcw.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swizkweqiniu = "aiytiykawfeuialm.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swizkweqiniu = "hqhdtkxolvvmbugiw.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swizkweqiniu = "bmfdvodwvhjctocgwmx.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hirfnwbkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oautmgwqqdgasodizqcw.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swizkweqiniu = "dqllfarmnbfatqgmewjee.exe" dafpt.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dafpt.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dafpt.exe Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dafpt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe -
Executes dropped EXE 2 IoCs
pid Process 3860 dafpt.exe 1616 dafpt.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager dafpt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys dafpt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc dafpt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power dafpt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys dafpt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc dafpt.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\symfsgqeyfcqcs = "aiytiykawfeuialm.exe ." dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vyjzjubmdhb = "oautmgwqqdgasodizqcw.exe ." dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcrlzozojrperis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqllfarmnbfatqgmewjee.exe ." dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwjbnajwpvrep = "bmfdvodwvhjctocgwmx.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vyjzjubmdhb = "hqhdtkxolvvmbugiw.exe ." 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\acmbkuakad = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaspgymecnogwqdgvk.exe" dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vyjzjubmdhb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmfdvodwvhjctocgwmx.exe ." dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\acmbkuakad = "aiytiykawfeuialm.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\acmbkuakad = "dqllfarmnbfatqgmewjee.exe" dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwjbnajwpvrep = "qaspgymecnogwqdgvk.exe" dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwjbnajwpvrep = "qaspgymecnogwqdgvk.exe" dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vyjzjubmdhb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqhdtkxolvvmbugiw.exe ." dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwjbnajwpvrep = "hqhdtkxolvvmbugiw.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\acmbkuakad = "dqllfarmnbfatqgmewjee.exe" dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\symfsgqeyfcqcs = "bmfdvodwvhjctocgwmx.exe ." dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aiytiykawfeuialm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaspgymecnogwqdgvk.exe" dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\symfsgqeyfcqcs = "hqhdtkxolvvmbugiw.exe ." dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcrlzozojrperis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmfdvodwvhjctocgwmx.exe ." dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\acmbkuakad = "oautmgwqqdgasodizqcw.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcrlzozojrperis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oautmgwqqdgasodizqcw.exe ." dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vyjzjubmdhb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmfdvodwvhjctocgwmx.exe ." 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\symfsgqeyfcqcs = "aiytiykawfeuialm.exe ." dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwjbnajwpvrep = "oautmgwqqdgasodizqcw.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vyjzjubmdhb = "dqllfarmnbfatqgmewjee.exe ." 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vyjzjubmdhb = "dqllfarmnbfatqgmewjee.exe ." dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\symfsgqeyfcqcs = "oautmgwqqdgasodizqcw.exe ." dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwjbnajwpvrep = "dqllfarmnbfatqgmewjee.exe" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aiytiykawfeuialm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oautmgwqqdgasodizqcw.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcrlzozojrperis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiytiykawfeuialm.exe ." dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\acmbkuakad = "dqllfarmnbfatqgmewjee.exe" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aiytiykawfeuialm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiytiykawfeuialm.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcrlzozojrperis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmfdvodwvhjctocgwmx.exe ." dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aiytiykawfeuialm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqllfarmnbfatqgmewjee.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\acmbkuakad = "oautmgwqqdgasodizqcw.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vyjzjubmdhb = "oautmgwqqdgasodizqcw.exe ." dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\symfsgqeyfcqcs = "qaspgymecnogwqdgvk.exe ." dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcrlzozojrperis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oautmgwqqdgasodizqcw.exe ." 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcrlzozojrperis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oautmgwqqdgasodizqcw.exe ." dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwjbnajwpvrep = "aiytiykawfeuialm.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aiytiykawfeuialm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqhdtkxolvvmbugiw.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcrlzozojrperis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqllfarmnbfatqgmewjee.exe ." dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\acmbkuakad = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqhdtkxolvvmbugiw.exe" dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\symfsgqeyfcqcs = "oautmgwqqdgasodizqcw.exe ." dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\acmbkuakad = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oautmgwqqdgasodizqcw.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\acmbkuakad = "qaspgymecnogwqdgvk.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aiytiykawfeuialm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmfdvodwvhjctocgwmx.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcrlzozojrperis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqhdtkxolvvmbugiw.exe ." dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\acmbkuakad = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oautmgwqqdgasodizqcw.exe" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vyjzjubmdhb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmfdvodwvhjctocgwmx.exe ." dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\symfsgqeyfcqcs = "qaspgymecnogwqdgvk.exe ." dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vyjzjubmdhb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaspgymecnogwqdgvk.exe ." dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vyjzjubmdhb = "aiytiykawfeuialm.exe ." dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vyjzjubmdhb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiytiykawfeuialm.exe ." dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vyjzjubmdhb = "hqhdtkxolvvmbugiw.exe ." dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwjbnajwpvrep = "dqllfarmnbfatqgmewjee.exe" dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwjbnajwpvrep = "hqhdtkxolvvmbugiw.exe" dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vyjzjubmdhb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiytiykawfeuialm.exe ." dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\acmbkuakad = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqllfarmnbfatqgmewjee.exe" dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\symfsgqeyfcqcs = "dqllfarmnbfatqgmewjee.exe ." 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\acmbkuakad = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oautmgwqqdgasodizqcw.exe" dafpt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vyjzjubmdhb = "aiytiykawfeuialm.exe ." dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\acmbkuakad = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaspgymecnogwqdgvk.exe" dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\acmbkuakad = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmfdvodwvhjctocgwmx.exe" dafpt.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwjbnajwpvrep = "aiytiykawfeuialm.exe" dafpt.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dafpt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dafpt.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" dafpt.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 whatismyip.everdot.org 21 whatismyipaddress.com 27 www.whatismyip.ca 31 whatismyip.everdot.org 33 www.showmyipaddress.com 36 www.whatismyip.ca 45 www.whatismyip.ca -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\fwvzxwrqvnvursmwsofei.faz dafpt.exe File created C:\Windows\SysWOW64\fwvzxwrqvnvursmwsofei.faz dafpt.exe File opened for modification C:\Windows\SysWOW64\acmbkuakadwgoafahoqapyioyorkucot.vce dafpt.exe File created C:\Windows\SysWOW64\acmbkuakadwgoafahoqapyioyorkucot.vce dafpt.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\fwvzxwrqvnvursmwsofei.faz dafpt.exe File created C:\Program Files (x86)\fwvzxwrqvnvursmwsofei.faz dafpt.exe File opened for modification C:\Program Files (x86)\acmbkuakadwgoafahoqapyioyorkucot.vce dafpt.exe File created C:\Program Files (x86)\acmbkuakadwgoafahoqapyioyorkucot.vce dafpt.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\fwvzxwrqvnvursmwsofei.faz dafpt.exe File created C:\Windows\fwvzxwrqvnvursmwsofei.faz dafpt.exe File opened for modification C:\Windows\acmbkuakadwgoafahoqapyioyorkucot.vce dafpt.exe File created C:\Windows\acmbkuakadwgoafahoqapyioyorkucot.vce dafpt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dafpt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dafpt.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings dafpt.exe Key created \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings dafpt.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3860 dafpt.exe 3860 dafpt.exe 3860 dafpt.exe 3860 dafpt.exe 3860 dafpt.exe 3860 dafpt.exe 3860 dafpt.exe 3860 dafpt.exe 3860 dafpt.exe 3860 dafpt.exe 3860 dafpt.exe 3860 dafpt.exe 3860 dafpt.exe 3860 dafpt.exe 3860 dafpt.exe 3860 dafpt.exe 3860 dafpt.exe 3860 dafpt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1616 dafpt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3860 dafpt.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1172 wrote to memory of 3860 1172 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe 82 PID 1172 wrote to memory of 3860 1172 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe 82 PID 1172 wrote to memory of 3860 1172 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe 82 PID 1172 wrote to memory of 1616 1172 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe 83 PID 1172 wrote to memory of 1616 1172 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe 83 PID 1172 wrote to memory of 1616 1172 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe 83 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dafpt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" dafpt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dafpt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" dafpt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" dafpt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer dafpt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe"C:\Users\Admin\AppData\Local\Temp\14c233ab4ed862f7eb3f89476b7d2b81f0ea6f91fe1bc48372237655dbc67ab9N.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\dafpt.exe"C:\Users\Admin\AppData\Local\Temp\dafpt.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3860
-
-
C:\Users\Admin\AppData\Local\Temp\dafpt.exe"C:\Users\Admin\AppData\Local\Temp\dafpt.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:1616
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2188
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5cfb5ba9b19b776110cd634c21dad7bfe
SHA1b9cf572e155b5c5d6c22bebd068ba71afd8d5bba
SHA256e155c73011bfce293a6ebb6ef2359f3ca58b8461ca0f2e3f6afb0008c14dbaa0
SHA512fefcb9b44facb61d251f41373cfae80cfb50dd818e7ec3a62b93c56aa64cae66aa5823979fec8ed695cacb065e1f60312068d7e461cb8d9f019dbeec9fabd482
-
Filesize
280B
MD58ab4cb29431a16c6cf9e899db53c5457
SHA1f9df20fc879e796b9bcbee9048ab09810ed52a55
SHA256355df5fba60db890188230b84d3ae372204530e15fa6b27dc49a441422a90c0c
SHA5120fb9565de22a7e5d9189f6e405de542c02f48d5b7c4ac5c3443ca5c9d054e61775e84e9a427caec6d71033593df1b66af58555e9e8a0ad912caee1bd7a558485
-
Filesize
280B
MD50487c462ff7904b29147e1c1c4fceb74
SHA1d5056327fe2e4137ba045fff719907e7e67067ee
SHA2568fdc4d48bf7d3910bd1daf67158faf1cd65f954f1da0f90eddd8f44a9d585037
SHA51232b6f64f202160e217e0b353ad28f8cf3a0e70729ba1034aa92c542c18484b3a43ede80013658c06c090634483cc45af3be7e9a97fb8e86e3649964d24b9b41a
-
Filesize
280B
MD5a2f99fe200d564161f7e447ebfdffdb7
SHA1f51e9a7c6d0aa368de1f2b039d2184d1eb4b7a94
SHA256f668c1496c6919a5f01d5c79c9423f6e10616cfe4317f98669e5c87a23565a46
SHA512446d268834ea09c9ca02f1c94919062efe6c3e1e72d841cb21f9c56fa36a11cef48b1c567ac1e6f161013f9b53efbb8664ba7c7a831b0aa93234a1640a16afd2
-
Filesize
280B
MD573489adcd47204fac5801ea306232b6e
SHA12659b41cd74e30598edfb301b13e2be661b63e8b
SHA256f2f1897e97e7faa99848eb01c8c9f6967a8353cdaf480921a3be759788bd0f2d
SHA512d518ff44bb287ec429d8e413657c243e863b012c38aea6ca16f131fc95ead1a23149a1ee6a2572a1ee48fa05721233521ca17914012c9dc628db52b5587e3137
-
Filesize
2.9MB
MD52a8af5ef30a3d952c982dccf3512a367
SHA16607a33935a521b7deaede31d0fa3a9c1065ca77
SHA256d03f343a0bb4f565fd6d1f0c6036e7b71e3b6bf8b515e14a38b105584385ced4
SHA512315990471e9cc6d71512d8fe790ed6941ab10397590c99a7cdd90bf3a8d096ead815ab361f6ced216f2b331d5736e1fdffc724a1c46830febd792aac20418ad0
-
Filesize
4KB
MD54e0d2035aef027ba81df5795952725cd
SHA121f5153e11e896c02e14d9e52cffcc3ec5f36dbf
SHA256b16c935d3a06c22788258bc8d3b9c48bd0ad9843a76ae45d064faaf2f63b0e06
SHA512a987cbed7041ce1690fd9319e77a969a06dcab2c7c423fdc535b095441e2c3678b841f2fc2270e3f9167917e40ff707927c3b513299dfbb59b7f2d60adf1645d
-
Filesize
280B
MD576b0e1edf5bac6fc240403a8ae8ff3e6
SHA1ce4d5458d8ca6cfc28015641a1f7809760a61864
SHA2567a1f5bbc38d999ef464837b5fd5f4d16406dc4003772dd5cdf114afd4dd9f24a
SHA5122839d6fd30ea25f6b6ee7f1f5255adee20440a81dce81136947cff8182177e55fc5d4d56511894008d528cb3c3fcd64f33429e88b402dcc5f4b268a60bf5e247
-
Filesize
280B
MD562dfb0a77d78dc90cebf9905f1c77a65
SHA1d9deeed5c7e8754ecee697126c40fb905d3cd13d
SHA25680452161bda4b0a59fa5f64d0f9553050d1aca333bbc9a3a3bfdf3ea9d74e6ae
SHA5124a0c765b9c521378a126381229ad10b3de2017cd617601b109d394b1286e61c69d604f71ec6b542cdde86dec18bfb9ede59379da5b1aca102a170d2fce8b2125