Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 07:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe
-
Size
1016KB
-
MD5
18e163786a650174a88b891fd947c890
-
SHA1
ca5914aa9b8d04bde6c230dfb3ba12284556a0de
-
SHA256
20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729
-
SHA512
f0d5c8d3bd1adcab128c323c4f2bd3596bfb548e07e97c9324aaca689a42d73748f0897af197d86bc661a994256a8c4edd75bae313ef0cc9e3a16c9808174ed5
-
SSDEEP
6144:oIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUry:oIXsgtvm1De5YlOx6lzBH46Ury
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" itsahs.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" itsahs.exe -
Adds policy Run key to start application 2 TTPs 30 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfjwiydrxld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upyqhcmfqjgoqwef.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfmcrksjsjekko = "khsmfcojwrqaemwzyf.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfmcrksjsjekko = "khsmfcojwrqaemwzyf.exe" xaxybxpphkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfjwiydrxld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxlieetrhfhubmzfhrllz.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfjwiydrxld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upyqhcmfqjgoqwef.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfjwiydrxld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihuqlkyvkhiuakwbcled.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfmcrksjsjekko = "ihuqlkyvkhiuakwbcled.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfmcrksjsjekko = "xxlieetrhfhubmzfhrllz.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfjwiydrxld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtfausfbpllwbkvzzhz.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfjwiydrxld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxhasoztfzxgjqzbz.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfmcrksjsjekko = "upyqhcmfqjgoqwef.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfjwiydrxld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihuqlkyvkhiuakwbcled.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfmcrksjsjekko = "khsmfcojwrqaemwzyf.exe" itsahs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xaxybxpphkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfjwiydrxld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxlieetrhfhubmzfhrllz.exe" itsahs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfjwiydrxld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtfausfbpllwbkvzzhz.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfjwiydrxld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxhasoztfzxgjqzbz.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfjwiydrxld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upyqhcmfqjgoqwef.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfmcrksjsjekko = "bxhasoztfzxgjqzbz.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfmcrksjsjekko = "vtfausfbpllwbkvzzhz.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfmcrksjsjekko = "vtfausfbpllwbkvzzhz.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfmcrksjsjekko = "bxhasoztfzxgjqzbz.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfmcrksjsjekko = "xxlieetrhfhubmzfhrllz.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfjwiydrxld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khsmfcojwrqaemwzyf.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pfjwiydrxld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtfausfbpllwbkvzzhz.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfmcrksjsjekko = "upyqhcmfqjgoqwef.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mfmcrksjsjekko = "ihuqlkyvkhiuakwbcled.exe" itsahs.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xaxybxpphkh.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" itsahs.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" itsahs.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xaxybxpphkh.exe -
Executes dropped EXE 4 IoCs
pid Process 2188 xaxybxpphkh.exe 2964 itsahs.exe 2752 itsahs.exe 2584 xaxybxpphkh.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend itsahs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc itsahs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power itsahs.exe -
Loads dropped DLL 8 IoCs
pid Process 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 2188 xaxybxpphkh.exe 2188 xaxybxpphkh.exe 2188 xaxybxpphkh.exe 2188 xaxybxpphkh.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldjymelbjztyx = "khsmfcojwrqaemwzyf.exe ." itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bxhasoztfzxgjqzbz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtfausfbpllwbkvzzhz.exe ." itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mdiwjagvcrko = "khsmfcojwrqaemwzyf.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mdiwjagvcrko = "bxhasoztfzxgjqzbz.exe" itsahs.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjriysbtdvryzel = "khsmfcojwrqaemwzyf.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mdiwjagvcrko = "xxlieetrhfhubmzfhrllz.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bxhasoztfzxgjqzbz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khsmfcojwrqaemwzyf.exe ." itsahs.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upyqhcmfqjgoqwef = "vtfausfbpllwbkvzzhz.exe ." itsahs.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdiwjagvcrko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upyqhcmfqjgoqwef.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldjymelbjztyx = "khsmfcojwrqaemwzyf.exe ." xaxybxpphkh.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldjymelbjztyx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upyqhcmfqjgoqwef.exe ." xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mdiwjagvcrko = "khsmfcojwrqaemwzyf.exe" itsahs.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdiwjagvcrko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxlieetrhfhubmzfhrllz.exe" itsahs.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldjymelbjztyx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxlieetrhfhubmzfhrllz.exe ." itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bxhasoztfzxgjqzbz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khsmfcojwrqaemwzyf.exe ." itsahs.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldjymelbjztyx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upyqhcmfqjgoqwef.exe ." itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bxhasoztfzxgjqzbz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upyqhcmfqjgoqwef.exe ." itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bxhasoztfzxgjqzbz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxlieetrhfhubmzfhrllz.exe ." itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldjymelbjztyx = "upyqhcmfqjgoqwef.exe ." itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mdiwjagvcrko = "vtfausfbpllwbkvzzhz.exe" itsahs.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldjymelbjztyx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxhasoztfzxgjqzbz.exe ." itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mdiwjagvcrko = "vtfausfbpllwbkvzzhz.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdiwjagvcrko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihuqlkyvkhiuakwbcled.exe" itsahs.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upyqhcmfqjgoqwef = "vtfausfbpllwbkvzzhz.exe ." itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldjymelbjztyx = "bxhasoztfzxgjqzbz.exe ." itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\khsmfcojwrqaemwzyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihuqlkyvkhiuakwbcled.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mdiwjagvcrko = "ihuqlkyvkhiuakwbcled.exe" itsahs.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdiwjagvcrko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khsmfcojwrqaemwzyf.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldjymelbjztyx = "xxlieetrhfhubmzfhrllz.exe ." itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldjymelbjztyx = "xxlieetrhfhubmzfhrllz.exe ." itsahs.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldjymelbjztyx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtfausfbpllwbkvzzhz.exe ." itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\khsmfcojwrqaemwzyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khsmfcojwrqaemwzyf.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\khsmfcojwrqaemwzyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khsmfcojwrqaemwzyf.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bxhasoztfzxgjqzbz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khsmfcojwrqaemwzyf.exe ." xaxybxpphkh.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldjymelbjztyx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxhasoztfzxgjqzbz.exe ." itsahs.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldjymelbjztyx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihuqlkyvkhiuakwbcled.exe ." itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mdiwjagvcrko = "upyqhcmfqjgoqwef.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\khsmfcojwrqaemwzyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxhasoztfzxgjqzbz.exe" itsahs.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upyqhcmfqjgoqwef = "ihuqlkyvkhiuakwbcled.exe ." itsahs.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upyqhcmfqjgoqwef = "bxhasoztfzxgjqzbz.exe ." itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldjymelbjztyx = "bxhasoztfzxgjqzbz.exe ." itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\khsmfcojwrqaemwzyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihuqlkyvkhiuakwbcled.exe" itsahs.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjriysbtdvryzel = "xxlieetrhfhubmzfhrllz.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\khsmfcojwrqaemwzyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxlieetrhfhubmzfhrllz.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldjymelbjztyx = "ihuqlkyvkhiuakwbcled.exe ." itsahs.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjriysbtdvryzel = "ihuqlkyvkhiuakwbcled.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mdiwjagvcrko = "upyqhcmfqjgoqwef.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ldjymelbjztyx = "khsmfcojwrqaemwzyf.exe ." itsahs.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\pjriysbtdvryzel = "bxhasoztfzxgjqzbz.exe" itsahs.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldjymelbjztyx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khsmfcojwrqaemwzyf.exe ." itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bxhasoztfzxgjqzbz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxhasoztfzxgjqzbz.exe ." itsahs.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdiwjagvcrko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihuqlkyvkhiuakwbcled.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bxhasoztfzxgjqzbz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upyqhcmfqjgoqwef.exe ." itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\khsmfcojwrqaemwzyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtfausfbpllwbkvzzhz.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\khsmfcojwrqaemwzyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxlieetrhfhubmzfhrllz.exe" itsahs.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upyqhcmfqjgoqwef = "ihuqlkyvkhiuakwbcled.exe ." itsahs.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\upyqhcmfqjgoqwef = "bxhasoztfzxgjqzbz.exe ." xaxybxpphkh.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\mdiwjagvcrko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upyqhcmfqjgoqwef.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldjymelbjztyx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtfausfbpllwbkvzzhz.exe ." itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mdiwjagvcrko = "vtfausfbpllwbkvzzhz.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\khsmfcojwrqaemwzyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxhasoztfzxgjqzbz.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mdiwjagvcrko = "khsmfcojwrqaemwzyf.exe" itsahs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bxhasoztfzxgjqzbz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtfausfbpllwbkvzzhz.exe ." xaxybxpphkh.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ldjymelbjztyx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khsmfcojwrqaemwzyf.exe ." itsahs.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaxybxpphkh.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaxybxpphkh.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" itsahs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" itsahs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA itsahs.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" itsahs.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 www.showmyipaddress.com 8 www.whatismyip.ca 13 whatismyip.everdot.org 2 whatismyipaddress.com -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf itsahs.exe File created C:\autorun.inf itsahs.exe File opened for modification F:\autorun.inf itsahs.exe File created F:\autorun.inf itsahs.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ihuqlkyvkhiuakwbcled.exe itsahs.exe File opened for modification C:\Windows\SysWOW64\opeczaqpgfiweqelozuvki.exe itsahs.exe File opened for modification C:\Windows\SysWOW64\khsmfcojwrqaemwzyf.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\khsmfcojwrqaemwzyf.exe itsahs.exe File opened for modification C:\Windows\SysWOW64\upyqhcmfqjgoqwef.exe itsahs.exe File opened for modification C:\Windows\SysWOW64\bxhasoztfzxgjqzbz.exe itsahs.exe File opened for modification C:\Windows\SysWOW64\vtfausfbpllwbkvzzhz.exe itsahs.exe File created C:\Windows\SysWOW64\zfzcekfjfjrkxohtbrrxruw.xbx itsahs.exe File opened for modification C:\Windows\SysWOW64\upyqhcmfqjgoqwef.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\vtfausfbpllwbkvzzhz.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\opeczaqpgfiweqelozuvki.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\mdiwjagvcrkomospijulqeriodkzswuwax.rct itsahs.exe File opened for modification C:\Windows\SysWOW64\bxhasoztfzxgjqzbz.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\opeczaqpgfiweqelozuvki.exe itsahs.exe File opened for modification C:\Windows\SysWOW64\ihuqlkyvkhiuakwbcled.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\xxlieetrhfhubmzfhrllz.exe itsahs.exe File opened for modification C:\Windows\SysWOW64\mdiwjagvcrkomospijulqeriodkzswuwax.rct itsahs.exe File opened for modification C:\Windows\SysWOW64\ihuqlkyvkhiuakwbcled.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\bxhasoztfzxgjqzbz.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\vtfausfbpllwbkvzzhz.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\zfzcekfjfjrkxohtbrrxruw.xbx itsahs.exe File opened for modification C:\Windows\SysWOW64\xxlieetrhfhubmzfhrllz.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\upyqhcmfqjgoqwef.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\ihuqlkyvkhiuakwbcled.exe itsahs.exe File opened for modification C:\Windows\SysWOW64\xxlieetrhfhubmzfhrllz.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\bxhasoztfzxgjqzbz.exe itsahs.exe File opened for modification C:\Windows\SysWOW64\khsmfcojwrqaemwzyf.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\khsmfcojwrqaemwzyf.exe itsahs.exe File opened for modification C:\Windows\SysWOW64\vtfausfbpllwbkvzzhz.exe itsahs.exe File opened for modification C:\Windows\SysWOW64\xxlieetrhfhubmzfhrllz.exe itsahs.exe File opened for modification C:\Windows\SysWOW64\opeczaqpgfiweqelozuvki.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\upyqhcmfqjgoqwef.exe itsahs.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\zfzcekfjfjrkxohtbrrxruw.xbx itsahs.exe File created C:\Program Files (x86)\zfzcekfjfjrkxohtbrrxruw.xbx itsahs.exe File opened for modification C:\Program Files (x86)\mdiwjagvcrkomospijulqeriodkzswuwax.rct itsahs.exe File created C:\Program Files (x86)\mdiwjagvcrkomospijulqeriodkzswuwax.rct itsahs.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\ihuqlkyvkhiuakwbcled.exe itsahs.exe File opened for modification C:\Windows\khsmfcojwrqaemwzyf.exe itsahs.exe File opened for modification C:\Windows\vtfausfbpllwbkvzzhz.exe xaxybxpphkh.exe File opened for modification C:\Windows\opeczaqpgfiweqelozuvki.exe xaxybxpphkh.exe File opened for modification C:\Windows\ihuqlkyvkhiuakwbcled.exe itsahs.exe File created C:\Windows\mdiwjagvcrkomospijulqeriodkzswuwax.rct itsahs.exe File opened for modification C:\Windows\upyqhcmfqjgoqwef.exe xaxybxpphkh.exe File opened for modification C:\Windows\khsmfcojwrqaemwzyf.exe xaxybxpphkh.exe File opened for modification C:\Windows\vtfausfbpllwbkvzzhz.exe itsahs.exe File opened for modification C:\Windows\vtfausfbpllwbkvzzhz.exe xaxybxpphkh.exe File opened for modification C:\Windows\bxhasoztfzxgjqzbz.exe xaxybxpphkh.exe File opened for modification C:\Windows\zfzcekfjfjrkxohtbrrxruw.xbx itsahs.exe File opened for modification C:\Windows\ihuqlkyvkhiuakwbcled.exe xaxybxpphkh.exe File opened for modification C:\Windows\xxlieetrhfhubmzfhrllz.exe itsahs.exe File opened for modification C:\Windows\ihuqlkyvkhiuakwbcled.exe xaxybxpphkh.exe File opened for modification C:\Windows\xxlieetrhfhubmzfhrllz.exe xaxybxpphkh.exe File opened for modification C:\Windows\upyqhcmfqjgoqwef.exe xaxybxpphkh.exe File opened for modification C:\Windows\xxlieetrhfhubmzfhrllz.exe itsahs.exe File created C:\Windows\zfzcekfjfjrkxohtbrrxruw.xbx itsahs.exe File opened for modification C:\Windows\mdiwjagvcrkomospijulqeriodkzswuwax.rct itsahs.exe File opened for modification C:\Windows\khsmfcojwrqaemwzyf.exe xaxybxpphkh.exe File opened for modification C:\Windows\bxhasoztfzxgjqzbz.exe itsahs.exe File opened for modification C:\Windows\opeczaqpgfiweqelozuvki.exe itsahs.exe File opened for modification C:\Windows\upyqhcmfqjgoqwef.exe itsahs.exe File opened for modification C:\Windows\bxhasoztfzxgjqzbz.exe xaxybxpphkh.exe File opened for modification C:\Windows\khsmfcojwrqaemwzyf.exe itsahs.exe File opened for modification C:\Windows\upyqhcmfqjgoqwef.exe itsahs.exe File opened for modification C:\Windows\bxhasoztfzxgjqzbz.exe itsahs.exe File opened for modification C:\Windows\vtfausfbpllwbkvzzhz.exe itsahs.exe File opened for modification C:\Windows\opeczaqpgfiweqelozuvki.exe itsahs.exe File opened for modification C:\Windows\opeczaqpgfiweqelozuvki.exe xaxybxpphkh.exe File opened for modification C:\Windows\xxlieetrhfhubmzfhrllz.exe xaxybxpphkh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xaxybxpphkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language itsahs.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 2964 itsahs.exe 2964 itsahs.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 2964 itsahs.exe 2964 itsahs.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 2964 itsahs.exe 2964 itsahs.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 2964 itsahs.exe 2964 itsahs.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 2964 itsahs.exe 2964 itsahs.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 2964 itsahs.exe 2964 itsahs.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 2964 itsahs.exe 2964 itsahs.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 2964 itsahs.exe 2964 itsahs.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 2964 itsahs.exe 2964 itsahs.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 2964 itsahs.exe 2964 itsahs.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 2964 itsahs.exe 2964 itsahs.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 2964 itsahs.exe 2964 itsahs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2964 itsahs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1252 wrote to memory of 2188 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 30 PID 1252 wrote to memory of 2188 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 30 PID 1252 wrote to memory of 2188 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 30 PID 1252 wrote to memory of 2188 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 30 PID 2188 wrote to memory of 2964 2188 xaxybxpphkh.exe 31 PID 2188 wrote to memory of 2964 2188 xaxybxpphkh.exe 31 PID 2188 wrote to memory of 2964 2188 xaxybxpphkh.exe 31 PID 2188 wrote to memory of 2964 2188 xaxybxpphkh.exe 31 PID 2188 wrote to memory of 2752 2188 xaxybxpphkh.exe 32 PID 2188 wrote to memory of 2752 2188 xaxybxpphkh.exe 32 PID 2188 wrote to memory of 2752 2188 xaxybxpphkh.exe 32 PID 2188 wrote to memory of 2752 2188 xaxybxpphkh.exe 32 PID 1252 wrote to memory of 2584 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 34 PID 1252 wrote to memory of 2584 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 34 PID 1252 wrote to memory of 2584 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 34 PID 1252 wrote to memory of 2584 1252 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 34 -
System policy modification 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" itsahs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xaxybxpphkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaxybxpphkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" itsahs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" itsahs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" itsahs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xaxybxpphkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System itsahs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xaxybxpphkh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe"C:\Users\Admin\AppData\Local\Temp\20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe"C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\users\admin\appdata\local\temp\20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729n.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\itsahs.exe"C:\Users\Admin\AppData\Local\Temp\itsahs.exe" "-C:\Users\Admin\AppData\Local\Temp\upyqhcmfqjgoqwef.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2964
-
-
C:\Users\Admin\AppData\Local\Temp\itsahs.exe"C:\Users\Admin\AppData\Local\Temp\itsahs.exe" "-C:\Users\Admin\AppData\Local\Temp\upyqhcmfqjgoqwef.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2752
-
-
-
C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe"C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\users\admin\appdata\local\temp\20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729n.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2584
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5c918bb0a6b732c49819232c64b9635d5
SHA1c870edff6fefe2660d7f4a5c9201d366652e5886
SHA2565963e62da21c5debea925d87a691c3ceed3b4e6bb456f2879c69d0d5ebd229b0
SHA512f473dede16ea78575989a25fc7bf3902f32046331d2a8eafe354d14d5db89974b93a374b8936f80835c082b9b16494153066eca4adf69722d6d19a4332792415
-
Filesize
280B
MD591a63324473979d466e5e1402674586f
SHA1692e4fb2451b1233d30933ad58efb2f5792d2b26
SHA256f28bd3023247a1f1123af2f73e99c95f25057d440725931fd197331cc385a33a
SHA512c1e4a5c98885b8aa441ec34249c13014d2559e6d57ccba6c3401848e3ddb807c9fbd0808790629bc8b1d5367a33a6a964882e9eed795363e0b22d1490c65c36a
-
Filesize
280B
MD5f8ea461e2d5820090677807acce8bf98
SHA1dafa9a7bae45aaab1091546c2817a5308f1d12cf
SHA256811d7134297154b79441fbfb23577485399b3068ef0faeca6214bcf0eb7ea344
SHA512744f25c261b1188beed9e3b7fba364b52183a094681e1ef1e6526bc54345a1d103c6c8140cc8245a4315e2378da160c5539cc5c10aaf0f0e0af70cfc31ff2e3e
-
Filesize
280B
MD503bc630fbb1b886619bea977aae171bf
SHA1cf92800262e7171d2b4d547ab787a77126e06692
SHA25601da36b972a20950561c0f4fe9abc54751c951ce77f612876665689641c44599
SHA512d0554960fae016698f74aa3aedcbff5f6263cda3a764e40381abb2b40910117f12b0c247545aced31df5e51b9edf30fc1486605a6a97077f406663644890a208
-
Filesize
280B
MD5b00a3a2a7ac8792433985b2fd726080b
SHA14bb53bdb8d82a981f904b04cb9ee41b2e5c636ed
SHA256caec5704dfd593a219c56d350d54c3fffaedb36e45a16109ba5ed21b24781f85
SHA512e938e73aabfe70ded9a752a716192f4ed823afd9301a6bd62c53afc681b3f531edad2d76bdeb12e1f2502c04bed7a7e0032ad1f046c33f34fd3da9e7ac7aebc0
-
Filesize
4KB
MD5de6594525ef8f76a8bae78537f5279d2
SHA15242c9c165932d72f1b9cf364d6176012a42fe23
SHA256935d61aec46aae28b66df6faf72f2e19553a96d61c789401cc1f42842b3a9966
SHA5129021d435811adfb0159ffb19b3629789995bc87d98c3b212475d50134f8b5b9a771369264f7f1365fdee03181d44215bd3acf79f7bd56d324e76d49d2a2fe660
-
Filesize
280B
MD5a93a2bee03e25bfeada58f285d8c8ee3
SHA1871ef2fba905ca9cfcf394a069c07004291c26cb
SHA256de3b2def95cac81ca90ae1b96091ad709a9da44ae20cadb22528f1c669493de2
SHA5121d78794a105a8b5039050942e82eca116fd02eb82b84c273a5512e44fda1a7ebc4f1638875eb4361c3ae454c192e839967dfa08da1a4c9bcf98bd2dbaea6e18a
-
Filesize
280B
MD54e0a7c271a9f8675a7fc31d329c79263
SHA12b9617b59b41c80e45cdf8861ecc3a3d37ae700d
SHA25625209fcf20b2e2275fd031181a5fd12dc936917dc2d6403e0f6157f9203e3dc9
SHA5127bcb7f9d4d7a0c53811930c66bdbda44e5ab711d449eec2a9966ae67afd149c8208d3cc8bc2a287db2c98c26da554b2f98ffc39fd72b16c30d69489f8ebe5e05
-
Filesize
1016KB
MD518e163786a650174a88b891fd947c890
SHA1ca5914aa9b8d04bde6c230dfb3ba12284556a0de
SHA25620e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729
SHA512f0d5c8d3bd1adcab128c323c4f2bd3596bfb548e07e97c9324aaca689a42d73748f0897af197d86bc661a994256a8c4edd75bae313ef0cc9e3a16c9808174ed5
-
Filesize
724KB
MD59b43f3266bc70d3c89f72e3b4ceb7ddc
SHA11abfef72abd40468ee44d9962c9b0dec0285c3b3
SHA2563242a08d51ec4ea383737a2d45bc15b68d5119da520d82e0bc8b5a4f8131189e
SHA512058ec7d02acf0b0009d35e0b13ca7341aeaf6c74b83e15f76adc3afc50332415b04a32ba8ea0b38d915708f511d441665c5deb1f64df8cc49060dc1c03c837e5
-
Filesize
320KB
MD5b28ebec912707e32c1a5ebcdcec86a5d
SHA1a52d0caf656ec5fa77316bd055c4d14063324b21
SHA256df851db8d885c21d5d62898367ffbfc10792eab458fb1d962c0a738fce1f818e
SHA512e1ec950c6a14ce6b1f51d86d2abb0ca5cccd97655058ffe0049fc58f1cbf0996fa1b527aa9cd64d34860f5c1d9f98920bbe39435a939049b1c58526377b1607b