Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 18:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe
Resource
win7-20241010-en
windows7-x64
21 signatures
120 seconds
Behavioral task
behavioral2
Sample
18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
21 signatures
120 seconds
General
-
Target
18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe
-
Size
1016KB
-
MD5
033277c330873b005d0b593011a48780
-
SHA1
e37535d32d6a8104d33107d39a1e93685bfe5117
-
SHA256
18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277
-
SHA512
80435c29cbc80d99829511fc3c9b1819ad2f1f21c36e450b80854ba24d13a4583d43348ef155f7c369fce4bdb4585350640100fc76477ce56e95cb4b810568b2
-
SSDEEP
6144:BIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUB:BIXsgtvm1De5YlOx6lzBH46U
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" izfuneuesjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" yfjxekl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" yfjxekl.exe -
Adds policy Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avnpketmkdstjilmmgojb.exe" izfuneuesjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnaxncmathrnysqm.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lruhns = "xnaxncmathrnysqm.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfutlcoezpbzmiigdu.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lruhns = "lfwxrkyqnfttigiihahb.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfwxrkyqnfttigiihahb.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avnpketmkdstjilmmgojb.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lruhns = "evjhyozoixifrmlie.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfwxrkyqnfttigiihahb.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lruhns = "lfwxrkyqnfttigiihahb.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lruhns = "xnaxncmathrnysqm.exe" izfuneuesjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lruhns = "nfutlcoezpbzmiigdu.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lruhns = "avnpketmkdstjilmmgojb.exe" yfjxekl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run izfuneuesjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrhhasfwsjwvjghgewc.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfutlcoezpbzmiigdu.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avnpketmkdstjilmmgojb.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lruhns = "nfutlcoezpbzmiigdu.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lruhns = "avnpketmkdstjilmmgojb.exe" izfuneuesjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lruhns = "avnpketmkdstjilmmgojb.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnaxncmathrnysqm.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evjhyozoixifrmlie.exe" yfjxekl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\knn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrhhasfwsjwvjghgewc.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lruhns = "yrhhasfwsjwvjghgewc.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lruhns = "yrhhasfwsjwvjghgewc.exe" yfjxekl.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yfjxekl.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yfjxekl.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" izfuneuesjp.exe -
Executes dropped EXE 3 IoCs
pid Process 2864 izfuneuesjp.exe 2424 yfjxekl.exe 1336 yfjxekl.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend yfjxekl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc yfjxekl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power yfjxekl.exe -
Loads dropped DLL 6 IoCs
pid Process 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2864 izfuneuesjp.exe 2864 izfuneuesjp.exe 2864 izfuneuesjp.exe 2864 izfuneuesjp.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rvwh = "lfwxrkyqnfttigiihahb.exe" yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nvapxegm = "avnpketmkdstjilmmgojb.exe ." yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\afhty = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfwxrkyqnfttigiihahb.exe ." yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\afhty = "lfwxrkyqnfttigiihahb.exe ." yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\yfjxekl = "lfwxrkyqnfttigiihahb.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xhofpyckxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrhhasfwsjwvjghgewc.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xhofpyckxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnaxncmathrnysqm.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rvwh = "evjhyozoixifrmlie.exe" yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfutlcoezpbzmiigdu.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\afhty = "xnaxncmathrnysqm.exe ." yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\afhty = "avnpketmkdstjilmmgojb.exe ." yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrhhasfwsjwvjghgewc.exe" yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\yfjxekl = "yrhhasfwsjwvjghgewc.exe" yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nvapxegm = "xnaxncmathrnysqm.exe ." yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xhofpyckxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfutlcoezpbzmiigdu.exe" yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nvapxegm = "lfwxrkyqnfttigiihahb.exe ." yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfwxrkyqnfttigiihahb.exe" yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nvapxegm = "lfwxrkyqnfttigiihahb.exe ." yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avnpketmkdstjilmmgojb.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xhofpyckxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnaxncmathrnysqm.exe" izfuneuesjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\entjsadkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfutlcoezpbzmiigdu.exe ." izfuneuesjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nvapxegm = "evjhyozoixifrmlie.exe ." yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\afhty = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrhhasfwsjwvjghgewc.exe ." yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xhofpyckxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnaxncmathrnysqm.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\entjsadkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfwxrkyqnfttigiihahb.exe ." yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\yfjxekl = "evjhyozoixifrmlie.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xhofpyckxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evjhyozoixifrmlie.exe" yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\afhty = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnaxncmathrnysqm.exe ." yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rvwh = "yrhhasfwsjwvjghgewc.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\entjsadkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evjhyozoixifrmlie.exe ." yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rvwh = "nfutlcoezpbzmiigdu.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\afhty = "nfutlcoezpbzmiigdu.exe ." izfuneuesjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\afhty = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfwxrkyqnfttigiihahb.exe ." izfuneuesjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\afhty = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfutlcoezpbzmiigdu.exe ." yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nvapxegm = "evjhyozoixifrmlie.exe ." yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\entjsadkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xnaxncmathrnysqm.exe ." yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\afhty = "yrhhasfwsjwvjghgewc.exe ." yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\afhty = "avnpketmkdstjilmmgojb.exe ." yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\afhty = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evjhyozoixifrmlie.exe ." yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rvwh = "yrhhasfwsjwvjghgewc.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\entjsadkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrhhasfwsjwvjghgewc.exe ." yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\afhty = "nfutlcoezpbzmiigdu.exe ." yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\entjsadkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrhhasfwsjwvjghgewc.exe ." yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\yfjxekl = "yrhhasfwsjwvjghgewc.exe" izfuneuesjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nvapxegm = "nfutlcoezpbzmiigdu.exe ." izfuneuesjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xhofpyckxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfwxrkyqnfttigiihahb.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xhofpyckxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrhhasfwsjwvjghgewc.exe" izfuneuesjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\entjsadkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfutlcoezpbzmiigdu.exe ." yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\yfjxekl = "evjhyozoixifrmlie.exe" yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avnpketmkdstjilmmgojb.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rvwh = "xnaxncmathrnysqm.exe" yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evjhyozoixifrmlie.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rvwh = "xnaxncmathrnysqm.exe" yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\yfjxekl = "xnaxncmathrnysqm.exe" yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\afhty = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfwxrkyqnfttigiihahb.exe ." yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xhofpyckxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrhhasfwsjwvjghgewc.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\afhty = "xnaxncmathrnysqm.exe ." izfuneuesjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\entjsadkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfwxrkyqnfttigiihahb.exe ." yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\entjsadkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evjhyozoixifrmlie.exe ." yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\entjsadkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfutlcoezpbzmiigdu.exe ." yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\yfjxekl = "nfutlcoezpbzmiigdu.exe" yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\yfjxekl = "avnpketmkdstjilmmgojb.exe" yfjxekl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rvwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrhhasfwsjwvjghgewc.exe" yfjxekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\xhofpyckxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfwxrkyqnfttigiihahb.exe" yfjxekl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" izfuneuesjp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" yfjxekl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" yfjxekl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA yfjxekl.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" yfjxekl.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 whatismyipaddress.com 5 www.showmyipaddress.com 13 www.whatismyip.ca -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf yfjxekl.exe File created C:\autorun.inf yfjxekl.exe File opened for modification F:\autorun.inf yfjxekl.exe File created F:\autorun.inf yfjxekl.exe -
Drops file in System32 directory 25 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\evjhyozoixifrmlie.exe izfuneuesjp.exe File opened for modification C:\Windows\SysWOW64\yrhhasfwsjwvjghgewc.exe izfuneuesjp.exe File opened for modification C:\Windows\SysWOW64\avnpketmkdstjilmmgojb.exe izfuneuesjp.exe File opened for modification C:\Windows\SysWOW64\rngjfaqkjdtvmmqstoxtmp.exe izfuneuesjp.exe File opened for modification C:\Windows\SysWOW64\xnaxncmathrnysqm.exe yfjxekl.exe File opened for modification C:\Windows\SysWOW64\nfutlcoezpbzmiigdu.exe izfuneuesjp.exe File opened for modification C:\Windows\SysWOW64\lfwxrkyqnfttigiihahb.exe izfuneuesjp.exe File opened for modification C:\Windows\SysWOW64\yrhhasfwsjwvjghgewc.exe yfjxekl.exe File opened for modification C:\Windows\SysWOW64\lfwxrkyqnfttigiihahb.exe yfjxekl.exe File opened for modification C:\Windows\SysWOW64\cdbjkkfeihcjfktagguvtbc.xwa yfjxekl.exe File opened for modification C:\Windows\SysWOW64\nfutlcoezpbzmiigdu.exe yfjxekl.exe File opened for modification C:\Windows\SysWOW64\pbkdpagqfpvnukewnyxjslxioynxdvcsme.gfr yfjxekl.exe File opened for modification C:\Windows\SysWOW64\evjhyozoixifrmlie.exe yfjxekl.exe File opened for modification C:\Windows\SysWOW64\nfutlcoezpbzmiigdu.exe yfjxekl.exe File opened for modification C:\Windows\SysWOW64\avnpketmkdstjilmmgojb.exe yfjxekl.exe File opened for modification C:\Windows\SysWOW64\rngjfaqkjdtvmmqstoxtmp.exe yfjxekl.exe File opened for modification C:\Windows\SysWOW64\xnaxncmathrnysqm.exe yfjxekl.exe File opened for modification C:\Windows\SysWOW64\yrhhasfwsjwvjghgewc.exe yfjxekl.exe File opened for modification C:\Windows\SysWOW64\xnaxncmathrnysqm.exe izfuneuesjp.exe File opened for modification C:\Windows\SysWOW64\evjhyozoixifrmlie.exe yfjxekl.exe File opened for modification C:\Windows\SysWOW64\avnpketmkdstjilmmgojb.exe yfjxekl.exe File opened for modification C:\Windows\SysWOW64\rngjfaqkjdtvmmqstoxtmp.exe yfjxekl.exe File created C:\Windows\SysWOW64\cdbjkkfeihcjfktagguvtbc.xwa yfjxekl.exe File created C:\Windows\SysWOW64\pbkdpagqfpvnukewnyxjslxioynxdvcsme.gfr yfjxekl.exe File opened for modification C:\Windows\SysWOW64\lfwxrkyqnfttigiihahb.exe yfjxekl.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\cdbjkkfeihcjfktagguvtbc.xwa yfjxekl.exe File created C:\Program Files (x86)\cdbjkkfeihcjfktagguvtbc.xwa yfjxekl.exe File opened for modification C:\Program Files (x86)\pbkdpagqfpvnukewnyxjslxioynxdvcsme.gfr yfjxekl.exe File created C:\Program Files (x86)\pbkdpagqfpvnukewnyxjslxioynxdvcsme.gfr yfjxekl.exe -
Drops file in Windows directory 25 IoCs
description ioc Process File opened for modification C:\Windows\xnaxncmathrnysqm.exe izfuneuesjp.exe File opened for modification C:\Windows\xnaxncmathrnysqm.exe yfjxekl.exe File opened for modification C:\Windows\avnpketmkdstjilmmgojb.exe yfjxekl.exe File opened for modification C:\Windows\avnpketmkdstjilmmgojb.exe izfuneuesjp.exe File opened for modification C:\Windows\lfwxrkyqnfttigiihahb.exe yfjxekl.exe File created C:\Windows\pbkdpagqfpvnukewnyxjslxioynxdvcsme.gfr yfjxekl.exe File opened for modification C:\Windows\nfutlcoezpbzmiigdu.exe yfjxekl.exe File opened for modification C:\Windows\yrhhasfwsjwvjghgewc.exe yfjxekl.exe File opened for modification C:\Windows\avnpketmkdstjilmmgojb.exe yfjxekl.exe File opened for modification C:\Windows\evjhyozoixifrmlie.exe izfuneuesjp.exe File opened for modification C:\Windows\yrhhasfwsjwvjghgewc.exe izfuneuesjp.exe File opened for modification C:\Windows\rngjfaqkjdtvmmqstoxtmp.exe izfuneuesjp.exe File opened for modification C:\Windows\evjhyozoixifrmlie.exe yfjxekl.exe File opened for modification C:\Windows\yrhhasfwsjwvjghgewc.exe yfjxekl.exe File opened for modification C:\Windows\cdbjkkfeihcjfktagguvtbc.xwa yfjxekl.exe File opened for modification C:\Windows\rngjfaqkjdtvmmqstoxtmp.exe yfjxekl.exe File opened for modification C:\Windows\nfutlcoezpbzmiigdu.exe izfuneuesjp.exe File opened for modification C:\Windows\lfwxrkyqnfttigiihahb.exe izfuneuesjp.exe File opened for modification C:\Windows\nfutlcoezpbzmiigdu.exe yfjxekl.exe File opened for modification C:\Windows\rngjfaqkjdtvmmqstoxtmp.exe yfjxekl.exe File created C:\Windows\cdbjkkfeihcjfktagguvtbc.xwa yfjxekl.exe File opened for modification C:\Windows\pbkdpagqfpvnukewnyxjslxioynxdvcsme.gfr yfjxekl.exe File opened for modification C:\Windows\xnaxncmathrnysqm.exe yfjxekl.exe File opened for modification C:\Windows\evjhyozoixifrmlie.exe yfjxekl.exe File opened for modification C:\Windows\lfwxrkyqnfttigiihahb.exe yfjxekl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izfuneuesjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yfjxekl.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2424 yfjxekl.exe 2424 yfjxekl.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2424 yfjxekl.exe 2424 yfjxekl.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2424 yfjxekl.exe 2424 yfjxekl.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2424 yfjxekl.exe 2424 yfjxekl.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2424 yfjxekl.exe 2424 yfjxekl.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2424 yfjxekl.exe 2424 yfjxekl.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2424 yfjxekl.exe 2424 yfjxekl.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2424 yfjxekl.exe 2424 yfjxekl.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2424 yfjxekl.exe 2424 yfjxekl.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2424 yfjxekl.exe 2424 yfjxekl.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2424 yfjxekl.exe 2424 yfjxekl.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2424 yfjxekl.exe 2424 yfjxekl.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2424 yfjxekl.exe 2424 yfjxekl.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2424 yfjxekl.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2864 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 30 PID 2548 wrote to memory of 2864 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 30 PID 2548 wrote to memory of 2864 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 30 PID 2548 wrote to memory of 2864 2548 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 30 PID 2864 wrote to memory of 1336 2864 izfuneuesjp.exe 31 PID 2864 wrote to memory of 1336 2864 izfuneuesjp.exe 31 PID 2864 wrote to memory of 1336 2864 izfuneuesjp.exe 31 PID 2864 wrote to memory of 1336 2864 izfuneuesjp.exe 31 PID 2864 wrote to memory of 2424 2864 izfuneuesjp.exe 32 PID 2864 wrote to memory of 2424 2864 izfuneuesjp.exe 32 PID 2864 wrote to memory of 2424 2864 izfuneuesjp.exe 32 PID 2864 wrote to memory of 2424 2864 izfuneuesjp.exe 32 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" yfjxekl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yfjxekl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" yfjxekl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" izfuneuesjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" izfuneuesjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" yfjxekl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" yfjxekl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" yfjxekl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe"C:\Users\Admin\AppData\Local\Temp\18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe"C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe" "c:\users\admin\appdata\local\temp\18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277n.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\yfjxekl.exe"C:\Users\Admin\AppData\Local\Temp\yfjxekl.exe" "-C:\Users\Admin\AppData\Local\Temp\xnaxncmathrnysqm.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1336
-
-
C:\Users\Admin\AppData\Local\Temp\yfjxekl.exe"C:\Users\Admin\AppData\Local\Temp\yfjxekl.exe" "-C:\Users\Admin\AppData\Local\Temp\xnaxncmathrnysqm.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2424
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5d545ac285137f565c4452998a47593dd
SHA155a004fad2d8ea6c7100fdc95708d2075687a6de
SHA2560945c143b47ec7becf755aed60ce7063417f2e4056eed2959b816141b0eb3f96
SHA512bd81f38432706e9b71d93c8d861510d76f1db2aa3557e2265f68d7379f5c45bb9b564191d1343eafded3d768a05250ae8aaae7e672ad72c2e2cd6c526f1547f5
-
Filesize
280B
MD5308d87a5bd645368db965b63a5a24c15
SHA1c71c64af532a19f26fa14e8bfae3635d10a23aef
SHA256f22337d87d86a653c1a692dcbbf763fe75f9c7d65b42468fb8520b37c4dab386
SHA5129a2bb37b97851a01e64e2494596c8b2fae53b774eba4bcdb14a8008f30589ecdf001d73e0c6a97fe8db377570762681ae9aaa21b7d2a92db14ee0c006d827322
-
Filesize
280B
MD57a7e9ae4ef5b44924cc49ec8a2c93ce5
SHA13efe7b9cff609aa2820251b5ba4226be7a9e2e2a
SHA2569bb2b1a2b59220965b91056b28d1b773c465188601aebb064be48d11289988c8
SHA512f90a0e6254b5737c2064f6b89e4ab24d1b6b7ef733c7b900ab64c284c0cac8649ecc52d7ae1834cd280442680c5a675d74b717709e45c6696209509772e6ad22
-
Filesize
4KB
MD5b6265179b68373945281f594a280abf8
SHA18575ba74fe550ca45605dd7ccbfd7f4847cf7123
SHA256533d05c4e024a7908005cf8c92b57078500fa9ad258215f4a12b66bdfb38add3
SHA5120b2ff6e6d67100707d83905a59be64d54fff614236657f478dfc8cac09c9708975b081b94348a754e716a58779789c297d20725b0693405b6d1aafba80880991
-
Filesize
1016KB
MD5033277c330873b005d0b593011a48780
SHA1e37535d32d6a8104d33107d39a1e93685bfe5117
SHA25618fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277
SHA51280435c29cbc80d99829511fc3c9b1819ad2f1f21c36e450b80854ba24d13a4583d43348ef155f7c369fce4bdb4585350640100fc76477ce56e95cb4b810568b2
-
Filesize
320KB
MD5efe1eddee674b1b4ad381b6c6fc79364
SHA1422392e19058bc59743e8454315621f5199b5371
SHA25692b7fd6f62b79e425f7cdc875977bb005713d9afbb6584e56aa24053c1613d41
SHA5127c0b02dc207e6b1abcdfb829c9cbb5c4a5492b5e6ad6ceed7b281cc100cbe8cf68bf3dcb4acb8776ab3c93d0158e9f9e898fdf6b3dd20a65a6d09c5a676bbdd9
-
Filesize
720KB
MD56b46656140e2a3bd9ca16891dfb8bd61
SHA140cb4135eed67e8d5f7230724c88bc1b42ae3e3c
SHA2564736c35015f9f6e34244d60002665b5a815ba9f591f14a8f913fd59701a21620
SHA5124922860155934adfe0614d0b9d35660743ea184c47124254a48703cba300bf0ab197b0125c7f1f576d321c7889edeeb1e9a4fab2b1a29b941c9ce34414bf386d