Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 03:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe
Resource
win10v2004-20240910-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe
-
Size
608KB
-
MD5
11551100b5caf188919b0b123358f1bb
-
SHA1
dd26d0ec4c80274e984ac2553f9f0510f68c22c1
-
SHA256
c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3
-
SHA512
11ad8a53eab762da1766a0b2fd423d338b1e8de0c396b5c6fc10ccdeb5cde6e334598465844c969414ba37f02e01d19215263a9084a4ea0c465e53e91d798de2
-
SSDEEP
12288:NYBX/tQDwmHtOwu/ctCKaCDnEQvPg5I2R3yTx5KEZt5:NY2w+tOwuMCeEOPp83et5
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" zfvmkddzjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" zfvmkddzjpf.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zfvmkddzjpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" zfvmkddzjpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" zfvmkddzjpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" zfvmkddzjpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zfvmkddzjpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vgipzhs.exe -
Adds policy Run key to start application 2 TTPs 30 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pekvjvkqakf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwiztlgsiyzlheihn.exe" zfvmkddzjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\menbshzivigpic = "uozpiztetiitoknl.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pekvjvkqakf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgtlgzvizqsfcaffmp.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\menbshzivigpic = "bwiztlgsiyzlheihn.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\menbshzivigpic = "vsgzvpmasknbzyefnrz.exe" vgipzhs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run zfvmkddzjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\menbshzivigpic = "kgtlgzvizqsfcaffmp.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pekvjvkqakf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uozpiztetiitoknl.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pekvjvkqakf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwiztlgsiyzlheihn.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pekvjvkqakf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xwmhfbaqkejzzailvblka.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pekvjvkqakf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgtlgzvizqsfcaffmp.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\menbshzivigpic = "bwiztlgsiyzlheihn.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pekvjvkqakf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwiztlgsiyzlheihn.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\menbshzivigpic = "kgtlgzvizqsfcaffmp.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pekvjvkqakf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uozpiztetiitoknl.exe" zfvmkddzjpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\menbshzivigpic = "xwmhfbaqkejzzailvblka.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\menbshzivigpic = "uozpiztetiitoknl.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pekvjvkqakf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xwmhfbaqkejzzailvblka.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\menbshzivigpic = "xwmhfbaqkejzzailvblka.exe" vgipzhs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run zfvmkddzjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\menbshzivigpic = "bwiztlgsiyzlheihn.exe" zfvmkddzjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pekvjvkqakf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsgzvpmasknbzyefnrz.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pekvjvkqakf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igvpmhfungkzyyfhqvec.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pekvjvkqakf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igvpmhfungkzyyfhqvec.exe" vgipzhs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\menbshzivigpic = "igvpmhfungkzyyfhqvec.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pekvjvkqakf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsgzvpmasknbzyefnrz.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\menbshzivigpic = "vsgzvpmasknbzyefnrz.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\menbshzivigpic = "vsgzvpmasknbzyefnrz.exe" zfvmkddzjpf.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zfvmkddzjpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zfvmkddzjpf.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vgipzhs.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vgipzhs.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation zfvmkddzjpf.exe Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe -
Executes dropped EXE 4 IoCs
pid Process 3768 zfvmkddzjpf.exe 4564 vgipzhs.exe 116 vgipzhs.exe 3208 zfvmkddzjpf.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys vgipzhs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc vgipzhs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager vgipzhs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys vgipzhs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc vgipzhs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power vgipzhs.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mcjvkxnufqmt = "igvpmhfungkzyyfhqvec.exe" vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uozpiztetiitoknl = "kgtlgzvizqsfcaffmp.exe ." vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcjvkxnufqmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uozpiztetiitoknl.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bwiztlgsiyzlheihn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsgzvpmasknbzyefnrz.exe ." vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcjvkxnufqmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwiztlgsiyzlheihn.exe" vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lckxnbsamyvdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uozpiztetiitoknl.exe ." vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uozpiztetiitoknl = "vsgzvpmasknbzyefnrz.exe ." zfvmkddzjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bwiztlgsiyzlheihn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xwmhfbaqkejzzailvblka.exe ." zfvmkddzjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bwiztlgsiyzlheihn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xwmhfbaqkejzzailvblka.exe ." zfvmkddzjpf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uozpiztetiitoknl = "uozpiztetiitoknl.exe ." vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgtlgzvizqsfcaffmp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uozpiztetiitoknl.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lckxnbsamyvdv = "igvpmhfungkzyyfhqvec.exe ." vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bwiztlgsiyzlheihn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsgzvpmasknbzyefnrz.exe ." vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcjvkxnufqmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwiztlgsiyzlheihn.exe" vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcjvkxnufqmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uozpiztetiitoknl.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mcjvkxnufqmt = "igvpmhfungkzyyfhqvec.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgtlgzvizqsfcaffmp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igvpmhfungkzyyfhqvec.exe" vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lckxnbsamyvdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgtlgzvizqsfcaffmp.exe ." vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcjvkxnufqmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgtlgzvizqsfcaffmp.exe" vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lckxnbsamyvdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uozpiztetiitoknl.exe ." zfvmkddzjpf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lckxnbsamyvdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgtlgzvizqsfcaffmp.exe ." zfvmkddzjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lckxnbsamyvdv = "uozpiztetiitoknl.exe ." vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcjvkxnufqmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgtlgzvizqsfcaffmp.exe" vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcjvkxnufqmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igvpmhfungkzyyfhqvec.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mcjvkxnufqmt = "igvpmhfungkzyyfhqvec.exe" zfvmkddzjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgtlgzvizqsfcaffmp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igvpmhfungkzyyfhqvec.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lckxnbsamyvdv = "bwiztlgsiyzlheihn.exe ." vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uozpiztetiitoknl = "igvpmhfungkzyyfhqvec.exe ." vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lckxnbsamyvdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwiztlgsiyzlheihn.exe ." vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uozpiztetiitoknl = "vsgzvpmasknbzyefnrz.exe ." vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lckxnbsamyvdv = "bwiztlgsiyzlheihn.exe ." vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcjvkxnufqmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsgzvpmasknbzyefnrz.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bwiztlgsiyzlheihn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uozpiztetiitoknl.exe ." vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mcjvkxnufqmt = "vsgzvpmasknbzyefnrz.exe" vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcjvkxnufqmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsgzvpmasknbzyefnrz.exe" zfvmkddzjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bwiztlgsiyzlheihn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xwmhfbaqkejzzailvblka.exe ." vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lckxnbsamyvdv = "kgtlgzvizqsfcaffmp.exe ." vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lckxnbsamyvdv = "vsgzvpmasknbzyefnrz.exe ." zfvmkddzjpf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcjvkxnufqmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsgzvpmasknbzyefnrz.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mcjvkxnufqmt = "uozpiztetiitoknl.exe" zfvmkddzjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lckxnbsamyvdv = "uozpiztetiitoknl.exe ." zfvmkddzjpf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pishzpisgutdxsu = "kgtlgzvizqsfcaffmp.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lckxnbsamyvdv = "xwmhfbaqkejzzailvblka.exe ." vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pishzpisgutdxsu = "bwiztlgsiyzlheihn.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lckxnbsamyvdv = "xwmhfbaqkejzzailvblka.exe ." vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pishzpisgutdxsu = "igvpmhfungkzyyfhqvec.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mcjvkxnufqmt = "uozpiztetiitoknl.exe" vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pishzpisgutdxsu = "vsgzvpmasknbzyefnrz.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lckxnbsamyvdv = "igvpmhfungkzyyfhqvec.exe ." vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uozpiztetiitoknl = "uozpiztetiitoknl.exe ." vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lckxnbsamyvdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igvpmhfungkzyyfhqvec.exe ." vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgtlgzvizqsfcaffmp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwiztlgsiyzlheihn.exe" zfvmkddzjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgtlgzvizqsfcaffmp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwiztlgsiyzlheihn.exe" vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pishzpisgutdxsu = "igvpmhfungkzyyfhqvec.exe" zfvmkddzjpf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lckxnbsamyvdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xwmhfbaqkejzzailvblka.exe ." vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pishzpisgutdxsu = "igvpmhfungkzyyfhqvec.exe" zfvmkddzjpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bwiztlgsiyzlheihn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xwmhfbaqkejzzailvblka.exe ." vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lckxnbsamyvdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\igvpmhfungkzyyfhqvec.exe ." vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pishzpisgutdxsu = "bwiztlgsiyzlheihn.exe" vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\uozpiztetiitoknl = "bwiztlgsiyzlheihn.exe ." vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lckxnbsamyvdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xwmhfbaqkejzzailvblka.exe ." vgipzhs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lckxnbsamyvdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgtlgzvizqsfcaffmp.exe ." vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgtlgzvizqsfcaffmp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgtlgzvizqsfcaffmp.exe" vgipzhs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kgtlgzvizqsfcaffmp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bwiztlgsiyzlheihn.exe" vgipzhs.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zfvmkddzjpf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA zfvmkddzjpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vgipzhs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vgipzhs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zfvmkddzjpf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA zfvmkddzjpf.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" zfvmkddzjpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" vgipzhs.exe -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 42 whatismyip.everdot.org 45 www.showmyipaddress.com 49 whatismyip.everdot.org 21 whatismyip.everdot.org 22 www.whatismyip.ca 32 whatismyipaddress.com 35 whatismyip.everdot.org 39 www.whatismyip.ca -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf vgipzhs.exe File created C:\autorun.inf vgipzhs.exe File opened for modification F:\autorun.inf vgipzhs.exe File created F:\autorun.inf vgipzhs.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\kgtlgzvizqsfcaffmp.exe zfvmkddzjpf.exe File opened for modification C:\Windows\SysWOW64\bwiztlgsiyzlheihn.exe vgipzhs.exe File opened for modification C:\Windows\SysWOW64\bwiztlgsiyzlheihn.exe zfvmkddzjpf.exe File opened for modification C:\Windows\SysWOW64\kgtlgzvizqsfcaffmp.exe vgipzhs.exe File opened for modification C:\Windows\SysWOW64\xwmhfbaqkejzzailvblka.exe vgipzhs.exe File opened for modification C:\Windows\SysWOW64\xwmhfbaqkejzzailvblka.exe vgipzhs.exe File created C:\Windows\SysWOW64\ycxxabfazyidiobjyjycxx.bfa vgipzhs.exe File created C:\Windows\SysWOW64\pekvjvkqakflbsqjjffualzlagqavbrig.zvv vgipzhs.exe File opened for modification C:\Windows\SysWOW64\igvpmhfungkzyyfhqvec.exe zfvmkddzjpf.exe File opened for modification C:\Windows\SysWOW64\oofbaxxojekbcenrcjuulh.exe zfvmkddzjpf.exe File opened for modification C:\Windows\SysWOW64\igvpmhfungkzyyfhqvec.exe vgipzhs.exe File opened for modification C:\Windows\SysWOW64\uozpiztetiitoknl.exe vgipzhs.exe File opened for modification C:\Windows\SysWOW64\vsgzvpmasknbzyefnrz.exe zfvmkddzjpf.exe File opened for modification C:\Windows\SysWOW64\vsgzvpmasknbzyefnrz.exe zfvmkddzjpf.exe File opened for modification C:\Windows\SysWOW64\bwiztlgsiyzlheihn.exe vgipzhs.exe File opened for modification C:\Windows\SysWOW64\vsgzvpmasknbzyefnrz.exe vgipzhs.exe File opened for modification C:\Windows\SysWOW64\oofbaxxojekbcenrcjuulh.exe vgipzhs.exe File opened for modification C:\Windows\SysWOW64\kgtlgzvizqsfcaffmp.exe zfvmkddzjpf.exe File opened for modification C:\Windows\SysWOW64\xwmhfbaqkejzzailvblka.exe zfvmkddzjpf.exe File opened for modification C:\Windows\SysWOW64\oofbaxxojekbcenrcjuulh.exe vgipzhs.exe File opened for modification C:\Windows\SysWOW64\ycxxabfazyidiobjyjycxx.bfa vgipzhs.exe File opened for modification C:\Windows\SysWOW64\uozpiztetiitoknl.exe vgipzhs.exe File opened for modification C:\Windows\SysWOW64\vsgzvpmasknbzyefnrz.exe vgipzhs.exe File opened for modification C:\Windows\SysWOW64\igvpmhfungkzyyfhqvec.exe vgipzhs.exe File opened for modification C:\Windows\SysWOW64\uozpiztetiitoknl.exe zfvmkddzjpf.exe File opened for modification C:\Windows\SysWOW64\xwmhfbaqkejzzailvblka.exe zfvmkddzjpf.exe File opened for modification C:\Windows\SysWOW64\bwiztlgsiyzlheihn.exe zfvmkddzjpf.exe File opened for modification C:\Windows\SysWOW64\igvpmhfungkzyyfhqvec.exe zfvmkddzjpf.exe File opened for modification C:\Windows\SysWOW64\kgtlgzvizqsfcaffmp.exe vgipzhs.exe File opened for modification C:\Windows\SysWOW64\pekvjvkqakflbsqjjffualzlagqavbrig.zvv vgipzhs.exe File opened for modification C:\Windows\SysWOW64\uozpiztetiitoknl.exe zfvmkddzjpf.exe File opened for modification C:\Windows\SysWOW64\oofbaxxojekbcenrcjuulh.exe zfvmkddzjpf.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\ycxxabfazyidiobjyjycxx.bfa vgipzhs.exe File created C:\Program Files (x86)\ycxxabfazyidiobjyjycxx.bfa vgipzhs.exe File opened for modification C:\Program Files (x86)\pekvjvkqakflbsqjjffualzlagqavbrig.zvv vgipzhs.exe File created C:\Program Files (x86)\pekvjvkqakflbsqjjffualzlagqavbrig.zvv vgipzhs.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File created C:\Windows\ycxxabfazyidiobjyjycxx.bfa vgipzhs.exe File opened for modification C:\Windows\vsgzvpmasknbzyefnrz.exe zfvmkddzjpf.exe File opened for modification C:\Windows\igvpmhfungkzyyfhqvec.exe zfvmkddzjpf.exe File opened for modification C:\Windows\uozpiztetiitoknl.exe zfvmkddzjpf.exe File opened for modification C:\Windows\igvpmhfungkzyyfhqvec.exe zfvmkddzjpf.exe File opened for modification C:\Windows\vsgzvpmasknbzyefnrz.exe vgipzhs.exe File opened for modification C:\Windows\bwiztlgsiyzlheihn.exe vgipzhs.exe File opened for modification C:\Windows\xwmhfbaqkejzzailvblka.exe zfvmkddzjpf.exe File opened for modification C:\Windows\ycxxabfazyidiobjyjycxx.bfa vgipzhs.exe File opened for modification C:\Windows\pekvjvkqakflbsqjjffualzlagqavbrig.zvv vgipzhs.exe File opened for modification C:\Windows\oofbaxxojekbcenrcjuulh.exe zfvmkddzjpf.exe File opened for modification C:\Windows\uozpiztetiitoknl.exe vgipzhs.exe File opened for modification C:\Windows\kgtlgzvizqsfcaffmp.exe zfvmkddzjpf.exe File opened for modification C:\Windows\uozpiztetiitoknl.exe vgipzhs.exe File opened for modification C:\Windows\igvpmhfungkzyyfhqvec.exe vgipzhs.exe File opened for modification C:\Windows\xwmhfbaqkejzzailvblka.exe zfvmkddzjpf.exe File opened for modification C:\Windows\oofbaxxojekbcenrcjuulh.exe zfvmkddzjpf.exe File opened for modification C:\Windows\oofbaxxojekbcenrcjuulh.exe vgipzhs.exe File opened for modification C:\Windows\kgtlgzvizqsfcaffmp.exe vgipzhs.exe File opened for modification C:\Windows\vsgzvpmasknbzyefnrz.exe vgipzhs.exe File opened for modification C:\Windows\oofbaxxojekbcenrcjuulh.exe vgipzhs.exe File created C:\Windows\pekvjvkqakflbsqjjffualzlagqavbrig.zvv vgipzhs.exe File opened for modification C:\Windows\uozpiztetiitoknl.exe zfvmkddzjpf.exe File opened for modification C:\Windows\bwiztlgsiyzlheihn.exe zfvmkddzjpf.exe File opened for modification C:\Windows\kgtlgzvizqsfcaffmp.exe vgipzhs.exe File opened for modification C:\Windows\xwmhfbaqkejzzailvblka.exe vgipzhs.exe File opened for modification C:\Windows\xwmhfbaqkejzzailvblka.exe vgipzhs.exe File opened for modification C:\Windows\vsgzvpmasknbzyefnrz.exe zfvmkddzjpf.exe File opened for modification C:\Windows\bwiztlgsiyzlheihn.exe zfvmkddzjpf.exe File opened for modification C:\Windows\kgtlgzvizqsfcaffmp.exe zfvmkddzjpf.exe File opened for modification C:\Windows\bwiztlgsiyzlheihn.exe vgipzhs.exe File opened for modification C:\Windows\igvpmhfungkzyyfhqvec.exe vgipzhs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vgipzhs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zfvmkddzjpf.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4564 vgipzhs.exe 4564 vgipzhs.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4564 vgipzhs.exe 4564 vgipzhs.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4564 vgipzhs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4740 wrote to memory of 3768 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 87 PID 4740 wrote to memory of 3768 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 87 PID 4740 wrote to memory of 3768 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 87 PID 3768 wrote to memory of 4564 3768 zfvmkddzjpf.exe 92 PID 3768 wrote to memory of 4564 3768 zfvmkddzjpf.exe 92 PID 3768 wrote to memory of 4564 3768 zfvmkddzjpf.exe 92 PID 3768 wrote to memory of 116 3768 zfvmkddzjpf.exe 93 PID 3768 wrote to memory of 116 3768 zfvmkddzjpf.exe 93 PID 3768 wrote to memory of 116 3768 zfvmkddzjpf.exe 93 PID 4740 wrote to memory of 3208 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 110 PID 4740 wrote to memory of 3208 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 110 PID 4740 wrote to memory of 3208 4740 c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe 110 -
System policy modification 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zfvmkddzjpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zfvmkddzjpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" zfvmkddzjpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" zfvmkddzjpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" zfvmkddzjpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" zfvmkddzjpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" zfvmkddzjpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" vgipzhs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System zfvmkddzjpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System zfvmkddzjpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" zfvmkddzjpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" zfvmkddzjpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" zfvmkddzjpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" zfvmkddzjpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" vgipzhs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer vgipzhs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vgipzhs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" vgipzhs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System vgipzhs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer zfvmkddzjpf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vgipzhs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe"C:\Users\Admin\AppData\Local\Temp\c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Users\Admin\AppData\Local\Temp\zfvmkddzjpf.exe"C:\Users\Admin\AppData\Local\Temp\zfvmkddzjpf.exe" "c:\users\admin\appdata\local\temp\c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\vgipzhs.exe"C:\Users\Admin\AppData\Local\Temp\vgipzhs.exe" "-C:\Users\Admin\AppData\Local\Temp\uozpiztetiitoknl.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4564
-
-
C:\Users\Admin\AppData\Local\Temp\vgipzhs.exe"C:\Users\Admin\AppData\Local\Temp\vgipzhs.exe" "-C:\Users\Admin\AppData\Local\Temp\uozpiztetiitoknl.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:116
-
-
-
C:\Users\Admin\AppData\Local\Temp\zfvmkddzjpf.exe"C:\Users\Admin\AppData\Local\Temp\zfvmkddzjpf.exe" "c:\users\admin\appdata\local\temp\c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3208
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD597283d65d4a08006a6afc9eb12bd5cc4
SHA1619fee8a17d195c833f2d87c1dd13232e0974204
SHA25672d6dbe99628253a84e528fe56752cddd8f9c88ebbb71a29caa3ec4560cff9df
SHA51265a3fd182e30df917b942ee8f1d8ca6819871f2b2d120ed98c0f95208e32f9190352334f53da51d4032d68e5184494d1a79e27e3d106a596def7967985558025
-
Filesize
280B
MD59d21bcfd585d627330e4b63a1cc0180e
SHA1c824dde8d29d363745714c85fe3fc9446e16f693
SHA256b34382ac0c0e6f2463a933aa4b9cac3458084e274a2d8d52efe3c1c46c9f150b
SHA5120cb8f340f2f7ba1ab8d80b25b0df5f3b3226c657102d9ad15462d16e70dc7178d187b3d177c8e550b0f2cd0639dae440c039b887f7441555e912258638bfa0a3
-
Filesize
280B
MD5167837fa911f7fc1ee8a77ccebbc5256
SHA16ac685179256db919678b64956dc908f200dd4f5
SHA256d0e32a566db92a854f4b85a5438d482475f96ef0b24a2da84ac3ca8fd523bdf4
SHA5121a00481e367e40a902bc2ba1f257519200d211bc0b094adb0021b3cbb011d434ce9b376bf99d8d0acb25b10b8c3372df5f41f382f6c4c82287b4dad6e422ed77
-
Filesize
280B
MD56b7380153fea5f197fd9a11f523d4b68
SHA1d4e3f29e9aabc2945f2f960f4f31880e24cf1b58
SHA256ffa4b7766963da4712840aef52c7328d1867d0ae671be93eff5fd6b36dfbdc8c
SHA512f5484dbd6eac4c7ff5646410c55ffd561732309ab8439e495a3310cf43c095564f5bb4d6638b4f066cf3b512df78043c8582bcb1827b763c0162d0589db11492
-
Filesize
716KB
MD538fe81b11ed8545641c642dd930991f5
SHA19a522f084e9a76031e96ee9c072950d57598aaf1
SHA256dcd546ae18ea3638639730638f7b27a1bcc0f7839b7adf0d228ea0e9cb56066f
SHA512a2ca238b7efb90d72405f88d2820ad338dfae475c8ceaaaf4df1bd1e691c15d54bb7f6387ed18c66cfbeef7c4bf3ad2be75746ca198f752bc82a04a6dddd3746
-
Filesize
320KB
MD563c076c23d38de8b50f34a16f246d050
SHA1e6b4ea259ef0ed197a30fa72ad1779e03f8c4987
SHA25695e1fa79d678c9966049975ff56cce2f976f54bd370c4d9edd09512ee148a7eb
SHA512c0e80aa04fe09ca52e179f7df6182225e864d812597cc8e0f71a9da93862bf97d9d63558d8157ba6d58b4180f6fcfd89c51406bd28aae66e93b30f4113d81f6d
-
Filesize
4KB
MD5b4558580416c45eb08862609a3fa0a46
SHA1c5e67e93245926a4dfc93a828a83ce862d20a8e2
SHA2567a1d4099c51acbea3d14742c6e020baa9e110496959b601b7ae4fcb7cb55155a
SHA512aff54885129f24bca6c2ab173511a608cfc6936f088d9dca08d764ceb7b11817de140ae274c71a93d885d47ea5a1fa0aa68c0781a9809bc67e54b26aa1e8bbc8
-
Filesize
280B
MD5d06fac676a595739badf2a367fab3f85
SHA163a2173a927258cf18ed7ce91c7ccf0db7363aea
SHA25637ce67a55afae218bcfcc60abfa65b7f1e738bd429bac4ee7e93c0930f93f9d0
SHA5129df61bed5b63d32f59f7aea6ceec5600360d75ad7658b46fe952232c0ce8120664e0004dcd771bbbbf3b03bb3b864f901f8c3360b3740f1472f5141c51735413
-
Filesize
280B
MD525f68f26855dc0ff37c999b838ed22a6
SHA116bc43941f4bb1bc048d9e648e991c4e298117db
SHA25621e7ad54226fc0d18ccd54d6e922576a120cba485b29b5a785b9ee13ef7738dd
SHA51283b582ee3ce551e87b79b0bf2b6c4da0d026c91e093cd740bca7339cd3fb753941ae17454c20714aeca892312748724333610d55dc32f55380ada0425cf95c8b
-
Filesize
608KB
MD511551100b5caf188919b0b123358f1bb
SHA1dd26d0ec4c80274e984ac2553f9f0510f68c22c1
SHA256c87c614987ce33454bb6469365cb3584335f2a67c9280e16a959783760f97aa3
SHA51211ad8a53eab762da1766a0b2fd423d338b1e8de0c396b5c6fc10ccdeb5cde6e334598465844c969414ba37f02e01d19215263a9084a4ea0c465e53e91d798de2