Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 07:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe
-
Size
1016KB
-
MD5
18e163786a650174a88b891fd947c890
-
SHA1
ca5914aa9b8d04bde6c230dfb3ba12284556a0de
-
SHA256
20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729
-
SHA512
f0d5c8d3bd1adcab128c323c4f2bd3596bfb548e07e97c9324aaca689a42d73748f0897af197d86bc661a994256a8c4edd75bae313ef0cc9e3a16c9808174ed5
-
SSDEEP
6144:oIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUry:oIXsgtvm1De5YlOx6lzBH46Ury
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wfsgytrrgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" wfsgytrrgpc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xbirelm.exe -
Adds policy Run key to start application 2 TTPs 30 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrzjxfhs = "xngbatgcxjkbwssvbjb.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrzjxfhs = "wjzrndngyhftlebb.exe" xbirelm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wfsgytrrgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zbgny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbtnldpkeppfzutvah.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrzjxfhs = "dribypaunxwleywxb.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrzjxfhs = "zrmjkfuspdgzwuwbjtnfa.exe" wfsgytrrgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrzjxfhs = "mbtnldpkeppfzutvah.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrzjxfhs = "wjzrndngyhftlebb.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zbgny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrmjkfuspdgzwuwbjtnfa.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zbgny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbvrrlzwsfhzvstxengx.exe" xbirelm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrzjxfhs = "xngbatgcxjkbwssvbjb.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zbgny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbtnldpkeppfzutvah.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zbgny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbvrrlzwsfhzvstxengx.exe" wfsgytrrgpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zbgny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xngbatgcxjkbwssvbjb.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zbgny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dribypaunxwleywxb.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zbgny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjzrndngyhftlebb.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zbgny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbvrrlzwsfhzvstxengx.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrzjxfhs = "kbvrrlzwsfhzvstxengx.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zbgny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dribypaunxwleywxb.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrzjxfhs = "kbvrrlzwsfhzvstxengx.exe" wfsgytrrgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zbgny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xngbatgcxjkbwssvbjb.exe" wfsgytrrgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrzjxfhs = "zrmjkfuspdgzwuwbjtnfa.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrzjxfhs = "mbtnldpkeppfzutvah.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zbgny = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xngbatgcxjkbwssvbjb.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrzjxfhs = "zrmjkfuspdgzwuwbjtnfa.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrzjxfhs = "kbvrrlzwsfhzvstxengx.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mrzjxfhs = "dribypaunxwleywxb.exe" xbirelm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wfsgytrrgpc.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wfsgytrrgpc.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xbirelm.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xbirelm.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation wfsgytrrgpc.exe -
Executes dropped EXE 4 IoCs
pid Process 232 wfsgytrrgpc.exe 2128 xbirelm.exe 3768 xbirelm.exe 1840 wfsgytrrgpc.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power xbirelm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys xbirelm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc xbirelm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager xbirelm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys xbirelm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc xbirelm.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kntbnt = "dribypaunxwleywxb.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xbirelm = "kbvrrlzwsfhzvstxengx.exe ." xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oxjxpbhwkpjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dribypaunxwleywxb.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rzkxozesfjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrmjkfuspdgzwuwbjtnfa.exe ." xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xbirelm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbtnldpkeppfzutvah.exe ." wfsgytrrgpc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xbirelm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbvrrlzwsfhzvstxengx.exe ." wfsgytrrgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oxjxpbhwkpjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbtnldpkeppfzutvah.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xbirelm = "dribypaunxwleywxb.exe ." xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rzkxozesfjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbtnldpkeppfzutvah.exe ." xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oxjxpbhwkpjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbvrrlzwsfhzvstxengx.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rzkxozesfjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbvrrlzwsfhzvstxengx.exe ." xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oxjxpbhwkpjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbtnldpkeppfzutvah.exe" xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xbirelm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbtnldpkeppfzutvah.exe ." xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kntbnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbvrrlzwsfhzvstxengx.exe" wfsgytrrgpc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\djsdsbeqb = "dribypaunxwleywxb.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xbirelm = "zrmjkfuspdgzwuwbjtnfa.exe ." xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kntbnt = "dribypaunxwleywxb.exe" xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wdnzpzdqcf = "wjzrndngyhftlebb.exe ." xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kntbnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjzrndngyhftlebb.exe" xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kntbnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xngbatgcxjkbwssvbjb.exe" xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wdnzpzdqcf = "zrmjkfuspdgzwuwbjtnfa.exe ." xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\djsdsbeqb = "wjzrndngyhftlebb.exe" xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\djsdsbeqb = "wjzrndngyhftlebb.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kntbnt = "mbtnldpkeppfzutvah.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oxjxpbhwkpjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjzrndngyhftlebb.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rzkxozesfjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbvrrlzwsfhzvstxengx.exe ." wfsgytrrgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xbirelm = "xngbatgcxjkbwssvbjb.exe ." xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rzkxozesfjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrmjkfuspdgzwuwbjtnfa.exe ." xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rzkxozesfjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xngbatgcxjkbwssvbjb.exe ." xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wdnzpzdqcf = "dribypaunxwleywxb.exe ." xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xbirelm = "kbvrrlzwsfhzvstxengx.exe ." wfsgytrrgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rzkxozesfjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbtnldpkeppfzutvah.exe ." wfsgytrrgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kntbnt = "zrmjkfuspdgzwuwbjtnfa.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oxjxpbhwkpjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbvrrlzwsfhzvstxengx.exe" xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wdnzpzdqcf = "zrmjkfuspdgzwuwbjtnfa.exe ." xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kntbnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbvrrlzwsfhzvstxengx.exe" xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xbirelm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dribypaunxwleywxb.exe ." xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kntbnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dribypaunxwleywxb.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oxjxpbhwkpjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xngbatgcxjkbwssvbjb.exe" xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kntbnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dribypaunxwleywxb.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oxjxpbhwkpjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dribypaunxwleywxb.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rzkxozesfjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xngbatgcxjkbwssvbjb.exe ." xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kntbnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbtnldpkeppfzutvah.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rzkxozesfjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbtnldpkeppfzutvah.exe ." xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kntbnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mbtnldpkeppfzutvah.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rzkxozesfjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjzrndngyhftlebb.exe ." xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xbirelm = "zrmjkfuspdgzwuwbjtnfa.exe ." xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\djsdsbeqb = "zrmjkfuspdgzwuwbjtnfa.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kntbnt = "zrmjkfuspdgzwuwbjtnfa.exe" wfsgytrrgpc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\djsdsbeqb = "dribypaunxwleywxb.exe" xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kntbnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjzrndngyhftlebb.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rzkxozesfjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dribypaunxwleywxb.exe ." xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oxjxpbhwkpjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrmjkfuspdgzwuwbjtnfa.exe" xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wdnzpzdqcf = "mbtnldpkeppfzutvah.exe ." xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kntbnt = "wjzrndngyhftlebb.exe" wfsgytrrgpc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kntbnt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjzrndngyhftlebb.exe" wfsgytrrgpc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wdnzpzdqcf = "kbvrrlzwsfhzvstxengx.exe ." xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wdnzpzdqcf = "xngbatgcxjkbwssvbjb.exe ." xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kntbnt = "xngbatgcxjkbwssvbjb.exe" xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\djsdsbeqb = "mbtnldpkeppfzutvah.exe" xbirelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kntbnt = "kbvrrlzwsfhzvstxengx.exe" xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wdnzpzdqcf = "kbvrrlzwsfhzvstxengx.exe ." wfsgytrrgpc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xbirelm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wjzrndngyhftlebb.exe ." xbirelm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xbirelm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrmjkfuspdgzwuwbjtnfa.exe ." xbirelm.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xbirelm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xbirelm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wfsgytrrgpc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wfsgytrrgpc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wfsgytrrgpc.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" wfsgytrrgpc.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 www.showmyipaddress.com 26 www.whatismyip.ca 27 whatismyipaddress.com 32 whatismyip.everdot.org 38 whatismyip.everdot.org -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created F:\autorun.inf xbirelm.exe File opened for modification C:\autorun.inf xbirelm.exe File created C:\autorun.inf xbirelm.exe File opened for modification F:\autorun.inf xbirelm.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mbtnldpkeppfzutvah.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\xngbatgcxjkbwssvbjb.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\wjzrndngyhftlebb.exe xbirelm.exe File opened for modification C:\Windows\SysWOW64\mbtnldpkeppfzutvah.exe xbirelm.exe File opened for modification C:\Windows\SysWOW64\kbvrrlzwsfhzvstxengx.exe xbirelm.exe File created C:\Windows\SysWOW64\rzkxozesfjclymezxxhpanepuivzsbocu.nnx xbirelm.exe File opened for modification C:\Windows\SysWOW64\dribypaunxwleywxb.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\zrmjkfuspdgzwuwbjtnfa.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\mbtnldpkeppfzutvah.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\qjfdfbrqodhbzybhqbwplj.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\xngbatgcxjkbwssvbjb.exe xbirelm.exe File opened for modification C:\Windows\SysWOW64\zrmjkfuspdgzwuwbjtnfa.exe xbirelm.exe File opened for modification C:\Windows\SysWOW64\dribypaunxwleywxb.exe xbirelm.exe File opened for modification C:\Windows\SysWOW64\qjfdfbrqodhbzybhqbwplj.exe xbirelm.exe File opened for modification C:\Windows\SysWOW64\dribypaunxwleywxb.exe xbirelm.exe File opened for modification C:\Windows\SysWOW64\qjfdfbrqodhbzybhqbwplj.exe xbirelm.exe File created C:\Windows\SysWOW64\axxzffzcexfdfipzmbaxxz.fzc xbirelm.exe File opened for modification C:\Windows\SysWOW64\kbvrrlzwsfhzvstxengx.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\zrmjkfuspdgzwuwbjtnfa.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\zrmjkfuspdgzwuwbjtnfa.exe xbirelm.exe File opened for modification C:\Windows\SysWOW64\kbvrrlzwsfhzvstxengx.exe xbirelm.exe File opened for modification C:\Windows\SysWOW64\kbvrrlzwsfhzvstxengx.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\wjzrndngyhftlebb.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\qjfdfbrqodhbzybhqbwplj.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\mbtnldpkeppfzutvah.exe xbirelm.exe File opened for modification C:\Windows\SysWOW64\rzkxozesfjclymezxxhpanepuivzsbocu.nnx xbirelm.exe File opened for modification C:\Windows\SysWOW64\wjzrndngyhftlebb.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\xngbatgcxjkbwssvbjb.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\dribypaunxwleywxb.exe wfsgytrrgpc.exe File opened for modification C:\Windows\SysWOW64\wjzrndngyhftlebb.exe xbirelm.exe File opened for modification C:\Windows\SysWOW64\xngbatgcxjkbwssvbjb.exe xbirelm.exe File opened for modification C:\Windows\SysWOW64\axxzffzcexfdfipzmbaxxz.fzc xbirelm.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\rzkxozesfjclymezxxhpanepuivzsbocu.nnx xbirelm.exe File opened for modification C:\Program Files (x86)\axxzffzcexfdfipzmbaxxz.fzc xbirelm.exe File created C:\Program Files (x86)\axxzffzcexfdfipzmbaxxz.fzc xbirelm.exe File opened for modification C:\Program Files (x86)\rzkxozesfjclymezxxhpanepuivzsbocu.nnx xbirelm.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\wjzrndngyhftlebb.exe wfsgytrrgpc.exe File opened for modification C:\Windows\dribypaunxwleywxb.exe xbirelm.exe File opened for modification C:\Windows\xngbatgcxjkbwssvbjb.exe xbirelm.exe File opened for modification C:\Windows\zrmjkfuspdgzwuwbjtnfa.exe xbirelm.exe File opened for modification C:\Windows\wjzrndngyhftlebb.exe wfsgytrrgpc.exe File opened for modification C:\Windows\qjfdfbrqodhbzybhqbwplj.exe wfsgytrrgpc.exe File opened for modification C:\Windows\xngbatgcxjkbwssvbjb.exe wfsgytrrgpc.exe File opened for modification C:\Windows\kbvrrlzwsfhzvstxengx.exe wfsgytrrgpc.exe File opened for modification C:\Windows\zrmjkfuspdgzwuwbjtnfa.exe xbirelm.exe File created C:\Windows\rzkxozesfjclymezxxhpanepuivzsbocu.nnx xbirelm.exe File opened for modification C:\Windows\mbtnldpkeppfzutvah.exe xbirelm.exe File opened for modification C:\Windows\qjfdfbrqodhbzybhqbwplj.exe xbirelm.exe File opened for modification C:\Windows\dribypaunxwleywxb.exe wfsgytrrgpc.exe File opened for modification C:\Windows\rzkxozesfjclymezxxhpanepuivzsbocu.nnx xbirelm.exe File opened for modification C:\Windows\mbtnldpkeppfzutvah.exe wfsgytrrgpc.exe File opened for modification C:\Windows\kbvrrlzwsfhzvstxengx.exe xbirelm.exe File opened for modification C:\Windows\kbvrrlzwsfhzvstxengx.exe xbirelm.exe File opened for modification C:\Windows\axxzffzcexfdfipzmbaxxz.fzc xbirelm.exe File opened for modification C:\Windows\qjfdfbrqodhbzybhqbwplj.exe xbirelm.exe File opened for modification C:\Windows\wjzrndngyhftlebb.exe xbirelm.exe File created C:\Windows\axxzffzcexfdfipzmbaxxz.fzc xbirelm.exe File opened for modification C:\Windows\qjfdfbrqodhbzybhqbwplj.exe wfsgytrrgpc.exe File opened for modification C:\Windows\dribypaunxwleywxb.exe xbirelm.exe File opened for modification C:\Windows\xngbatgcxjkbwssvbjb.exe xbirelm.exe File opened for modification C:\Windows\zrmjkfuspdgzwuwbjtnfa.exe wfsgytrrgpc.exe File opened for modification C:\Windows\mbtnldpkeppfzutvah.exe wfsgytrrgpc.exe File opened for modification C:\Windows\xngbatgcxjkbwssvbjb.exe wfsgytrrgpc.exe File opened for modification C:\Windows\zrmjkfuspdgzwuwbjtnfa.exe wfsgytrrgpc.exe File opened for modification C:\Windows\dribypaunxwleywxb.exe wfsgytrrgpc.exe File opened for modification C:\Windows\wjzrndngyhftlebb.exe xbirelm.exe File opened for modification C:\Windows\mbtnldpkeppfzutvah.exe xbirelm.exe File opened for modification C:\Windows\kbvrrlzwsfhzvstxengx.exe wfsgytrrgpc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wfsgytrrgpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xbirelm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 2128 xbirelm.exe 2128 xbirelm.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 2128 xbirelm.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 2128 xbirelm.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 2128 xbirelm.exe 2128 xbirelm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2128 xbirelm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4436 wrote to memory of 232 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 86 PID 4436 wrote to memory of 232 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 86 PID 4436 wrote to memory of 232 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 86 PID 232 wrote to memory of 2128 232 wfsgytrrgpc.exe 87 PID 232 wrote to memory of 2128 232 wfsgytrrgpc.exe 87 PID 232 wrote to memory of 2128 232 wfsgytrrgpc.exe 87 PID 232 wrote to memory of 3768 232 wfsgytrrgpc.exe 88 PID 232 wrote to memory of 3768 232 wfsgytrrgpc.exe 88 PID 232 wrote to memory of 3768 232 wfsgytrrgpc.exe 88 PID 4436 wrote to memory of 1840 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 93 PID 4436 wrote to memory of 1840 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 93 PID 4436 wrote to memory of 1840 4436 20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe 93 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xbirelm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xbirelm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wfsgytrrgpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xbirelm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xbirelm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xbirelm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xbirelm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" wfsgytrrgpc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xbirelm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe"C:\Users\Admin\AppData\Local\Temp\20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\wfsgytrrgpc.exe"C:\Users\Admin\AppData\Local\Temp\wfsgytrrgpc.exe" "c:\users\admin\appdata\local\temp\20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729n.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:232 -
C:\Users\Admin\AppData\Local\Temp\xbirelm.exe"C:\Users\Admin\AppData\Local\Temp\xbirelm.exe" "-C:\Users\Admin\AppData\Local\Temp\wjzrndngyhftlebb.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2128
-
-
C:\Users\Admin\AppData\Local\Temp\xbirelm.exe"C:\Users\Admin\AppData\Local\Temp\xbirelm.exe" "-C:\Users\Admin\AppData\Local\Temp\wjzrndngyhftlebb.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:3768
-
-
-
C:\Users\Admin\AppData\Local\Temp\wfsgytrrgpc.exe"C:\Users\Admin\AppData\Local\Temp\wfsgytrrgpc.exe" "c:\users\admin\appdata\local\temp\20e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729n.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1840
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5bd2520430957911f1629a6889d5cd609
SHA1e4ea07540c39c3c35cf9dff4794dcc5d8e85fa6d
SHA256cec705fe0a99f3642724537a5a9c8b1ed540ada1ab7ff6afe48b7844ae3156a4
SHA512f74582b5981139508441459cc7faff963c8a256325d25c3bf3ad89dab4399c0c64c26f202ce801f89e663f2fd1dd28fd3682492c2334bac610f3e23009b61afd
-
Filesize
280B
MD560e7c1af90ac7da71ab7ff9ca7eca481
SHA1b1dd5e4d5394074eb0cdcd345cd57e8b3221e224
SHA2560884f711eb0f0f222a995a87690e8fa4b1e091da84c14ec26dd07d9175286963
SHA512415a35a0d3a9b77a106376fd5e86e205f1414643646624da953f5f52caa9b5ca8ba65c455eda0738ded55d3a9b451e6174d55b4fdcd3e815f43fe27fa531a6ac
-
Filesize
280B
MD5dd5a5934166cf23a244d110833d1a514
SHA18790fea21559a96444a43ba8f7b961fcb38978a9
SHA2561b3f45335c0e382b492ec9c2d48a8f45fafa62070a8e80ba5e465019b910e227
SHA51230c8b0500f331dc46dae05ccb5cacc461454debddb9668df5ce926a820e4d9469103682b8b18992bd9be59ecf7b1549031780a2613448981c9d64d5b9c6b9423
-
Filesize
280B
MD54273527bcde7f63d256b13c02e66295b
SHA19974395a47c3e36fb3d57c8d9d8f9b94690753f0
SHA256d571e4e68e78228dd975a16024d0308b2c778cf895636a98e18091e7506a4a9e
SHA512f2d4dc89ab7bab75f6839f93eb0eab5d525b80985742809840c75a76fe28cbdf6c3ee4235e36dd3a0138050fd70a099c87c98fca210820099bae6c05734c76d4
-
Filesize
280B
MD554da4b15022449b8ef5727c03c7de026
SHA16a7599c18dc061c58aeb99e5edbe95774eaa858f
SHA256dd035da461c6f9998271ebd6f583a412f070fe3a1f115a8010a7c759be3a9818
SHA51238f54d1ad16f024a1e69f0d7bfb9d332bf1ea873eef56f0283722de2cd8fed1bb1e6be3cf007631ce3430fef3315acd94dd1bed4b603bf051a99662d98fe1ac5
-
Filesize
320KB
MD5f0e64f88e32c65a9ffa6acbf7d068743
SHA10e847534b1ba79db51e9c1faf90d7e7a2aea4b54
SHA256b9a8304a7d1499f6b9465b6065c0c4bd1eac06a139f094f70855dac331309e95
SHA5126f0a9bdecdf1272443049e63a50a18069f4500bf895f1805fe5f999901ea097d1a18026db3b252642c31db402490a81293279263ba9f4adf2ef267f7ca8799c1
-
Filesize
716KB
MD52fabd71cb31622fb7c9bf141026ae7ce
SHA1a2d3be08077ab76dde50f16b2cbeb1fab020ff96
SHA256a91c95a52f0bf2b1492efd46567b2126cf937ea37c4478bd154f43e5a42c8058
SHA51213248094dd253d391fbcfb099838524b791cfc7b196cbe177ac8f44df2f4250f9cbc2213cacd74106356e2254988e46960aaa25b9bb9dc0115f3290475108c75
-
Filesize
280B
MD50d313f1d798a60b1d63a91ae432b1791
SHA18c2e69121f79a185d92c35d9c89ba4e490d77dd2
SHA25623411534781d27b8888543349b15cdc176abcea22146a44d91fb64f7678ead6d
SHA512cf1573b945a0ea1dc17c58fc70d6f7d822ff7d4de061999fea35f04b71a9f1528ea0bb0e06b03bba10dbb7aa55525ed1478f0d46a43453665d4dc1200c168177
-
Filesize
280B
MD58498f1c12c297e8759f20548017da75b
SHA14874183500a81b446375d40c80df65b846e50164
SHA256b58d6fc5512a729679df757ee4be580da093f32b8ee9918e8324777f683a89ff
SHA5127b41e628f389b8994de6a6f7cd2077358cf62276844f37671a20f39994ce710113b42c8ef98dcd7dc33cb940bf8b36fc43ba06bdf7cf07f77d4dc7ef296c7e30
-
Filesize
4KB
MD527cf167481e7338b3b8f15d443ffed31
SHA109c85eb3ff60676c52d105c773adfec126718af4
SHA25695386002abe6c00a82a26ed880b962b2b21558a30a1686391320b941ac2fdbc4
SHA5129667c13cbe5635ce3886ba24cb033a2b991b43122e32d403021f60f2691921ceec1e2b27ff3ba22316aa73cb83b96f6943f8a335b073e2c15a8bf242e147a18e
-
Filesize
1016KB
MD518e163786a650174a88b891fd947c890
SHA1ca5914aa9b8d04bde6c230dfb3ba12284556a0de
SHA25620e62180a2816d92a27ae333d74a2057b5fd27cbbd6b4e4da7ce5ce6f706a729
SHA512f0d5c8d3bd1adcab128c323c4f2bd3596bfb548e07e97c9324aaca689a42d73748f0897af197d86bc661a994256a8c4edd75bae313ef0cc9e3a16c9808174ed5