Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/10/2024, 06:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe
-
Size
9.2MB
-
MD5
90d4eeb13d02455640cca508b2a0cc40
-
SHA1
f85f1749ffd854e8f7862f10a6a54423e63ec39b
-
SHA256
7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0
-
SHA512
6cfc0f987fe1f86cacd2302fd0f732f8c2725646b615c8fd1990db79db59af3b20342257edfc2e6680f7c8bba0ebe2eaed021c1ee036f746c6e0ad8ba947665f
-
SSDEEP
6144:IriTOeUceEZPVB18RdCqdomsKAgh/lI86JQPDHDdx/Qtqx:phZdv8R0qRsKAg9lIPJQPDHvd
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ntwyjs.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ntwyjs.exe -
Adds policy Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxcgtehr = "nhyonkzvkipomekmmjjd.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxcgtehr = "nhyonkzvkipomekmmjjd.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chjku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjywsgbpmsqnejkjfe.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chjku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjywsgbpmsqnejkjfe.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxcgtehr = "phwkhcpjwsxuqgkkid.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxcgtehr = "gxlyuoatfaeavknmj.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chjku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhyonkzvkipomekmmjjd.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxcgtehr = "gxlyuoatfaeavknmj.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxcgtehr = "atjywsgbpmsqnejkjfe.exe" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chjku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phwkhcpjwsxuqgkkid.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxcgtehr = "atjywsgbpmsqnejkjfe.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxcgtehr = "zpcojcnfqknicqsq.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chjku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpcojcnfqknicqsq.exe" ntwyjs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxcgtehr = "gxlyuoatfaeavknmj.exe" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chjku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxlyuoatfaeavknmj.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxcgtehr = "phwkhcpjwsxuqgkkid.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chjku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjywsgbpmsqnejkjfe.exe" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxcgtehr = "cxpggeurhgoongnqrpqld.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chjku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhyonkzvkipomekmmjjd.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxcgtehr = "cxpggeurhgoongnqrpqld.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chjku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phwkhcpjwsxuqgkkid.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pxcgtehr = "zpcojcnfqknicqsq.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chjku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxpggeurhgoongnqrpqld.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\chjku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxlyuoatfaeavknmj.exe" ntwyjs.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ntwyjs.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ntwyjs.exe Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe -
Executes dropped EXE 2 IoCs
pid Process 2092 ntwyjs.exe 2420 ntwyjs.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc ntwyjs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power ntwyjs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend ntwyjs.exe -
Loads dropped DLL 4 IoCs
pid Process 1992 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe 1992 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe 1992 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe 1992 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntwyjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxpggeurhgoongnqrpqld.exe" ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntwyjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhyonkzvkipomekmmjjd.exe" ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntwyjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxlyuoatfaeavknmj.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rdmulahvcsri = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhyonkzvkipomekmmjjd.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ufnukyerxmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjywsgbpmsqnejkjfe.exe ." ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rdmulahvcsri = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxpggeurhgoongnqrpqld.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rdmulahvcsri = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phwkhcpjwsxuqgkkid.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntwyjs = "zpcojcnfqknicqsq.exe" ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ahloakm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phwkhcpjwsxuqgkkid.exe ." ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntwyjs = "nhyonkzvkipomekmmjjd.exe" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntwyjs = "atjywsgbpmsqnejkjfe.exe" ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ahloakm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phwkhcpjwsxuqgkkid.exe ." ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ahloakm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhyonkzvkipomekmmjjd.exe ." ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ufnukyerxmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxlyuoatfaeavknmj.exe ." ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rdmulahvcsri = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxlyuoatfaeavknmj.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rdmulahvcsri = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhyonkzvkipomekmmjjd.exe" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntwyjs = "zpcojcnfqknicqsq.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ahloakm = "atjywsgbpmsqnejkjfe.exe ." ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ufnukyerxmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhyonkzvkipomekmmjjd.exe ." ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\gpvaoaept = "atjywsgbpmsqnejkjfe.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ahloakm = "gxlyuoatfaeavknmj.exe ." ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\gpvaoaept = "nhyonkzvkipomekmmjjd.exe" ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\gpvaoaept = "zpcojcnfqknicqsq.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ahloakm = "nhyonkzvkipomekmmjjd.exe ." 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rdmulahvcsri = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxpggeurhgoongnqrpqld.exe" ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ahloakm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpcojcnfqknicqsq.exe ." ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ahloakm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxpggeurhgoongnqrpqld.exe ." ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zjqwlydpui = "gxlyuoatfaeavknmj.exe ." ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\gpvaoaept = "gxlyuoatfaeavknmj.exe" ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ahloakm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjywsgbpmsqnejkjfe.exe ." ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ufnukyerxmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phwkhcpjwsxuqgkkid.exe ." ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zjqwlydpui = "gxlyuoatfaeavknmj.exe ." ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rdmulahvcsri = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpcojcnfqknicqsq.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ahloakm = "zpcojcnfqknicqsq.exe ." ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zjqwlydpui = "atjywsgbpmsqnejkjfe.exe ." ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\gpvaoaept = "cxpggeurhgoongnqrpqld.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntwyjs = "cxpggeurhgoongnqrpqld.exe" ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ahloakm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxlyuoatfaeavknmj.exe ." ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ahloakm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxpggeurhgoongnqrpqld.exe ." ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntwyjs = "gxlyuoatfaeavknmj.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ufnukyerxmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxpggeurhgoongnqrpqld.exe ." ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntwyjs = "gxlyuoatfaeavknmj.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ufnukyerxmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpcojcnfqknicqsq.exe ." ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\gpvaoaept = "phwkhcpjwsxuqgkkid.exe" ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ahloakm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpcojcnfqknicqsq.exe ." ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ahloakm = "zpcojcnfqknicqsq.exe ." ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zjqwlydpui = "nhyonkzvkipomekmmjjd.exe ." ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zjqwlydpui = "zpcojcnfqknicqsq.exe ." ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntwyjs = "nhyonkzvkipomekmmjjd.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntwyjs = "atjywsgbpmsqnejkjfe.exe" ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zjqwlydpui = "phwkhcpjwsxuqgkkid.exe ." ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ahloakm = "phwkhcpjwsxuqgkkid.exe ." ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntwyjs = "nhyonkzvkipomekmmjjd.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ufnukyerxmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpcojcnfqknicqsq.exe ." ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntwyjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpcojcnfqknicqsq.exe" ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntwyjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxlyuoatfaeavknmj.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntwyjs = "phwkhcpjwsxuqgkkid.exe" ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ahloakm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxlyuoatfaeavknmj.exe ." ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ahloakm = "cxpggeurhgoongnqrpqld.exe ." ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zjqwlydpui = "cxpggeurhgoongnqrpqld.exe ." ntwyjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zjqwlydpui = "nhyonkzvkipomekmmjjd.exe ." 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntwyjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpcojcnfqknicqsq.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rdmulahvcsri = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjywsgbpmsqnejkjfe.exe" ntwyjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ahloakm = "nhyonkzvkipomekmmjjd.exe ." ntwyjs.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ntwyjs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ntwyjs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntwyjs.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ntwyjs.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 whatismyip.everdot.org 6 www.whatismyip.ca 7 www.showmyipaddress.com 10 whatismyipaddress.com -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mppowcafdkaipqfqzforrqyec.fmc ntwyjs.exe File created C:\Windows\SysWOW64\mppowcafdkaipqfqzforrqyec.fmc ntwyjs.exe File opened for modification C:\Windows\SysWOW64\rfqatktjsklewiieypjxislclbkcdwoaawqh.pak ntwyjs.exe File created C:\Windows\SysWOW64\rfqatktjsklewiieypjxislclbkcdwoaawqh.pak ntwyjs.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\mppowcafdkaipqfqzforrqyec.fmc ntwyjs.exe File opened for modification C:\Program Files (x86)\rfqatktjsklewiieypjxislclbkcdwoaawqh.pak ntwyjs.exe File created C:\Program Files (x86)\rfqatktjsklewiieypjxislclbkcdwoaawqh.pak ntwyjs.exe File opened for modification C:\Program Files (x86)\mppowcafdkaipqfqzforrqyec.fmc ntwyjs.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\mppowcafdkaipqfqzforrqyec.fmc ntwyjs.exe File created C:\Windows\mppowcafdkaipqfqzforrqyec.fmc ntwyjs.exe File opened for modification C:\Windows\rfqatktjsklewiieypjxislclbkcdwoaawqh.pak ntwyjs.exe File created C:\Windows\rfqatktjsklewiieypjxislclbkcdwoaawqh.pak ntwyjs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntwyjs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntwyjs.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe 2420 ntwyjs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2420 ntwyjs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2092 1992 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe 30 PID 1992 wrote to memory of 2092 1992 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe 30 PID 1992 wrote to memory of 2092 1992 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe 30 PID 1992 wrote to memory of 2092 1992 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe 30 PID 1992 wrote to memory of 2420 1992 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe 31 PID 1992 wrote to memory of 2420 1992 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe 31 PID 1992 wrote to memory of 2420 1992 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe 31 PID 1992 wrote to memory of 2420 1992 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe 31 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ntwyjs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ntwyjs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ntwyjs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ntwyjs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ntwyjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" 7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ntwyjs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe"C:\Users\Admin\AppData\Local\Temp\7681ce2d372a70dfa4acbe6736edbf8ecf43b99f20cadda24596d7d9ee2bc7c0N.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\ntwyjs.exe"C:\Users\Admin\AppData\Local\Temp\ntwyjs.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- System policy modification
PID:2092
-
-
C:\Users\Admin\AppData\Local\Temp\ntwyjs.exe"C:\Users\Admin\AppData\Local\Temp\ntwyjs.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2420
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268B
MD5f71e6d96650d349b09ba56b4441b7324
SHA1ec0a2d2f9e783a4a78adc91e7bc6355907ed3160
SHA256081170545c78ec27814f5380855b5e81958222683aa42ec826ba96431e070d57
SHA5129610b911124f1092a92f1673b79bdda93e1e6391b907a85211137dfdf7c11e7d054472c61caa31b2da00b8193d1a0b2c598d715022216232bf50f2e0ce35c6e7
-
Filesize
268B
MD58fefd52e98676e422272cadf0a2c7e75
SHA169ac15afd1df2ecf2dadb28a8a592dedcdbfcc02
SHA25620dc961c517176c7258c204e4e37e6f3df6e4d2346a3c6a7ac190350c6444965
SHA51240d79d872fd28d7992b46681868451811959f95af653d217408e5e8246cb959fbce7a29ac1be9ca75daae4ff7e6a2eb2e21049b58632b6da213c38bb64ffcba8
-
Filesize
268B
MD5ef0d3da930d3c1aa8bb0656184064b32
SHA14590c23c1f49dfe14b5e987c24381bf73f73313a
SHA256763b02b3b52963c589a42c6b1f0ef3936b5cd7f1b740239b70bf36d7538add7f
SHA5126c54fa92577a58607c104a61b5494167f445491c1ece030ff204968cbb2a01d07a2576e00d51beba1d9ee024ff8a140c8c06558381d1493e498f610e196722b9
-
Filesize
11.4MB
MD527ebe7f8704c5a188e09e8a59f6cd954
SHA18a20814c7097def3d1597c809a7fc5cbfe49e91e
SHA25623fc4d9ed795971bfb65d6bd53e7dfaa81e301713fe63dca4fe836767086d028
SHA5121457dad3079e976dc64579a951f81c79ac5728811a94d60e2e138cb3e951651cf07e977347bf4024cda16d66b33a74c4e9853dd656f5178fed10811098604409
-
Filesize
268B
MD5dbbe1867060bbac98cfe75b87b153673
SHA1e6aa33077ef0e6ab43eaf399f6c580db0a756b39
SHA256d88edf9db05ba570afb7ef144ca00532b864a96e24297c1de6ce34c7205a5e74
SHA512f149dcdc2e59cbb53b900e67b5a23f7c3237ac0e0f633bc471291d28ec4e741a2f51e61d27e5d4740f3a2aa068a39cded5c79f9d32fe2afbe9b2d6879bbe82a3
-
Filesize
268B
MD5d8b8ea9c31894b5f8cf873d42b66fa41
SHA1b190e9b254c5c03b669f0fbb9a8ff6fe0196867f
SHA256b5d424041b2e127877dfce657a4ed583a5cbc1699cc56a9f6e6b3aefd956fdbc
SHA5129ae1c1aad535337fd54fc6b3f39cd233cb4d5dc9892ffe5db20463bd605b65c40bd108f9b334cbe35a35ca16a236080b9c908bf574c23e6d2e3a4f5ada7b08b6
-
Filesize
268B
MD5c4d1ed8d9e90849c0068c61df0757afe
SHA10d336fe4eb5e48c44bb80f509f6c08bb48a491c4
SHA256748b88ee694d8826f4c1bb60d63efad033335b137deff9482fe0ed5b982b66ee
SHA5127a3287e61252cfe9237348f29a0c6d1a1acc4b0ab33ef3cf790bed4afaffa85fa4398de086912a1ab389b05e1fc593b8c46c1e33a199ed493c641b998d8b89ce
-
Filesize
268B
MD53b4cb85f33d68ab6c8c2ab1b45e52b83
SHA1db3d196a7de29ddc217e9110c8a8deae575d766f
SHA256fb1543a345db21cd2b50a5f37e0216021d6c4f9d913763b93f29aeaa2de973fb
SHA512bff515e4db91d83883e851affada69501c6684aba10f2ef8d1c4b0fe0daba0404e71b1d31e0f4cd8a7e75d38015146370e10837956d3297ac5d78d7d0a0e6b2c
-
Filesize
268B
MD503f0887e192e129a4e094869138fd667
SHA17065b96d437864e9783f83300ba84d9b1d9f75b9
SHA256b5f8fc29f5bc7518849d9e1f151e0ffbf1c815f26b5b0719d1cc8d2b61541d90
SHA512f4e4e97c2fdc78b7b3e179002a2d8c285aafaf9d2febc4ccc58bb151bd953e29e8f1b9e6650472c7cb81e524192b0ae85a623f68926c09d1889be7bed2eb01c1
-
Filesize
3KB
MD5537d71f41602d70c359f0a1b00b62b00
SHA110522c5edc66a9f73af11adecf5d6bda0daba062
SHA2568b31d61d016118878f3632edc9b45b9137ca470b2ee5de831438a56ca59a10d8
SHA512cd8ee886f7c6ae33e54f7696cc7c0a4c66899bc98a0c8f1025d99c54df56510f87814bc7f1e2db84d097c4c140af9e87717dd907cd0e5ceb2db49a9774b5be0c