Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 18:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe
Resource
win7-20241010-en
windows7-x64
21 signatures
120 seconds
Behavioral task
behavioral2
Sample
18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
21 signatures
120 seconds
General
-
Target
18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe
-
Size
1016KB
-
MD5
033277c330873b005d0b593011a48780
-
SHA1
e37535d32d6a8104d33107d39a1e93685bfe5117
-
SHA256
18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277
-
SHA512
80435c29cbc80d99829511fc3c9b1819ad2f1f21c36e450b80854ba24d13a4583d43348ef155f7c369fce4bdb4585350640100fc76477ce56e95cb4b810568b2
-
SSDEEP
6144:BIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUB:BIXsgtvm1De5YlOx6lzBH46U
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" avbhxuykkfl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ittaen.exe -
Adds policy Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpscjvjpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxmibzzrhekpfvvcqmlla.exe" avbhxuykkfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpscjvjpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxmibzzrhekpfvvcqmlla.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpscjvjpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtgarnlbpkorftrwicz.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdjwgvmvcqnj = "xxmibzzrhekpfvvcqmlla.exe" avbhxuykkfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpscjvjpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upzqexsfqijjufac.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpscjvjpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upzqexsfqijjufac.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdjwgvmvcqnj = "khtmcxujwqtvivswha.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpscjvjpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihvqifevkglpetsylged.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdjwgvmvcqnj = "upzqexsfqijjufac.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdjwgvmvcqnj = "upzqexsfqijjufac.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdjwgvmvcqnj = "vtgarnlbpkorftrwicz.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpscjvjpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxiapjftfyabnzvyi.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpscjvjpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihvqifevkglpetsylged.exe" ittaen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run avbhxuykkfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdjwgvmvcqnj = "ihvqifevkglpetsylged.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpscjvjpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtgarnlbpkorftrwicz.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bpscjvjpt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxmibzzrhekpfvvcqmlla.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdjwgvmvcqnj = "xxmibzzrhekpfvvcqmlla.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdjwgvmvcqnj = "vtgarnlbpkorftrwicz.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdjwgvmvcqnj = "ihvqifevkglpetsylged.exe" ittaen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdjwgvmvcqnj = "bxiapjftfyabnzvyi.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mdjwgvmvcqnj = "bxiapjftfyabnzvyi.exe" ittaen.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ittaen.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" avbhxuykkfl.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ittaen.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ittaen.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation avbhxuykkfl.exe -
Executes dropped EXE 3 IoCs
pid Process 1060 avbhxuykkfl.exe 652 ittaen.exe 3292 ittaen.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power ittaen.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys ittaen.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc ittaen.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager ittaen.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys ittaen.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc ittaen.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ujnygtipug = "bxiapjftfyabnzvyi.exe" ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ujnygtipug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxmibzzrhekpfvvcqmlla.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\upzqexsfqijjufac = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihvqifevkglpetsylged.exe" ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfncofyjsihfox = "bxiapjftfyabnzvyi.exe ." avbhxuykkfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ujnygtipug = "bxiapjftfyabnzvyi.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pjsivnhtduutdnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxmibzzrhekpfvvcqmlla.exe ." ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ujnygtipug = "xxmibzzrhekpfvvcqmlla.exe" ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldkyjzrbjywtb = "bxiapjftfyabnzvyi.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\upzqexsfqijjufac = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upzqexsfqijjufac.exe" avbhxuykkfl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfncofyjsihfox = "upzqexsfqijjufac.exe ." ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldkyjzrbjywtb = "ihvqifevkglpetsylged.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfkwftjrxkg = "upzqexsfqijjufac.exe ." ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfkwftjrxkg = "vtgarnlbpkorftrwicz.exe ." ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pfkwftjrxkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtgarnlbpkorftrwicz.exe ." ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\upzqexsfqijjufac = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upzqexsfqijjufac.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ujnygtipug = "ihvqifevkglpetsylged.exe" ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ujnygtipug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxmibzzrhekpfvvcqmlla.exe" ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ujnygtipug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxiapjftfyabnzvyi.exe" ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pfkwftjrxkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxmibzzrhekpfvvcqmlla.exe ." ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pfkwftjrxkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khtmcxujwqtvivswha.exe ." ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pfkwftjrxkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upzqexsfqijjufac.exe ." ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pjsivnhtduutdnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khtmcxujwqtvivswha.exe ." ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pjsivnhtduutdnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihvqifevkglpetsylged.exe ." ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\upzqexsfqijjufac = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khtmcxujwqtvivswha.exe" ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pfkwftjrxkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihvqifevkglpetsylged.exe ." ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfncofyjsihfox = "khtmcxujwqtvivswha.exe ." ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfkwftjrxkg = "bxiapjftfyabnzvyi.exe ." ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ujnygtipug = "xxmibzzrhekpfvvcqmlla.exe" ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ujnygtipug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtgarnlbpkorftrwicz.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\upzqexsfqijjufac = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtgarnlbpkorftrwicz.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\upzqexsfqijjufac = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khtmcxujwqtvivswha.exe" ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldkyjzrbjywtb = "upzqexsfqijjufac.exe" ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldkyjzrbjywtb = "upzqexsfqijjufac.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfkwftjrxkg = "khtmcxujwqtvivswha.exe ." ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pjsivnhtduutdnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxiapjftfyabnzvyi.exe ." ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfkwftjrxkg = "vtgarnlbpkorftrwicz.exe ." ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfncofyjsihfox = "xxmibzzrhekpfvvcqmlla.exe ." ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ujnygtipug = "vtgarnlbpkorftrwicz.exe" ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldkyjzrbjywtb = "vtgarnlbpkorftrwicz.exe" ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldkyjzrbjywtb = "vtgarnlbpkorftrwicz.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ujnygtipug = "ihvqifevkglpetsylged.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\upzqexsfqijjufac = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxiapjftfyabnzvyi.exe" ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfncofyjsihfox = "bxiapjftfyabnzvyi.exe ." ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ujnygtipug = "khtmcxujwqtvivswha.exe" ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ujnygtipug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upzqexsfqijjufac.exe" ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ujnygtipug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\upzqexsfqijjufac.exe" ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pjsivnhtduutdnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxiapjftfyabnzvyi.exe ." ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ujnygtipug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khtmcxujwqtvivswha.exe" ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pfkwftjrxkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\khtmcxujwqtvivswha.exe ." ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ujnygtipug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihvqifevkglpetsylged.exe" ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pfkwftjrxkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxmibzzrhekpfvvcqmlla.exe ." ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ujnygtipug = "upzqexsfqijjufac.exe" ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfncofyjsihfox = "ihvqifevkglpetsylged.exe ." ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfncofyjsihfox = "vtgarnlbpkorftrwicz.exe ." ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfncofyjsihfox = "ihvqifevkglpetsylged.exe ." ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ujnygtipug = "upzqexsfqijjufac.exe" avbhxuykkfl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ldkyjzrbjywtb = "khtmcxujwqtvivswha.exe" ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pfkwftjrxkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihvqifevkglpetsylged.exe ." ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pjsivnhtduutdnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vtgarnlbpkorftrwicz.exe ." ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfkwftjrxkg = "xxmibzzrhekpfvvcqmlla.exe ." ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ujnygtipug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bxiapjftfyabnzvyi.exe" avbhxuykkfl.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ujnygtipug = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihvqifevkglpetsylged.exe" ittaen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mfncofyjsihfox = "khtmcxujwqtvivswha.exe ." ittaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\upzqexsfqijjufac = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xxmibzzrhekpfvvcqmlla.exe" ittaen.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ittaen.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ittaen.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" avbhxuykkfl.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ittaen.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 www.whatismyip.ca 26 www.showmyipaddress.com 30 whatismyip.everdot.org 32 www.whatismyip.ca 33 whatismyipaddress.com 40 whatismyip.everdot.org 41 www.whatismyip.ca -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf ittaen.exe File created C:\autorun.inf ittaen.exe File opened for modification F:\autorun.inf ittaen.exe File created F:\autorun.inf ittaen.exe -
Drops file in System32 directory 25 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\upzqexsfqijjufac.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\vtgarnlbpkorftrwicz.exe ittaen.exe File opened for modification C:\Windows\SysWOW64\ihvqifevkglpetsylged.exe ittaen.exe File created C:\Windows\SysWOW64\ujnygtipugbvafuqteshlwergnseztyd.orc ittaen.exe File opened for modification C:\Windows\SysWOW64\zdwwtvzvpqajdxbmeehle.bdh ittaen.exe File created C:\Windows\SysWOW64\zdwwtvzvpqajdxbmeehle.bdh ittaen.exe File opened for modification C:\Windows\SysWOW64\ujnygtipugbvafuqteshlwergnseztyd.orc ittaen.exe File opened for modification C:\Windows\SysWOW64\bxiapjftfyabnzvyi.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\xxmibzzrhekpfvvcqmlla.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\bxiapjftfyabnzvyi.exe ittaen.exe File opened for modification C:\Windows\SysWOW64\vtgarnlbpkorftrwicz.exe ittaen.exe File opened for modification C:\Windows\SysWOW64\ihvqifevkglpetsylged.exe ittaen.exe File opened for modification C:\Windows\SysWOW64\xxmibzzrhekpfvvcqmlla.exe ittaen.exe File opened for modification C:\Windows\SysWOW64\opfcwvwpgelrizaixuuvli.exe ittaen.exe File opened for modification C:\Windows\SysWOW64\upzqexsfqijjufac.exe ittaen.exe File opened for modification C:\Windows\SysWOW64\khtmcxujwqtvivswha.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\upzqexsfqijjufac.exe ittaen.exe File opened for modification C:\Windows\SysWOW64\bxiapjftfyabnzvyi.exe ittaen.exe File opened for modification C:\Windows\SysWOW64\khtmcxujwqtvivswha.exe ittaen.exe File opened for modification C:\Windows\SysWOW64\khtmcxujwqtvivswha.exe ittaen.exe File opened for modification C:\Windows\SysWOW64\opfcwvwpgelrizaixuuvli.exe ittaen.exe File opened for modification C:\Windows\SysWOW64\vtgarnlbpkorftrwicz.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\ihvqifevkglpetsylged.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\opfcwvwpgelrizaixuuvli.exe avbhxuykkfl.exe File opened for modification C:\Windows\SysWOW64\xxmibzzrhekpfvvcqmlla.exe ittaen.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\zdwwtvzvpqajdxbmeehle.bdh ittaen.exe File created C:\Program Files (x86)\zdwwtvzvpqajdxbmeehle.bdh ittaen.exe File opened for modification C:\Program Files (x86)\ujnygtipugbvafuqteshlwergnseztyd.orc ittaen.exe File created C:\Program Files (x86)\ujnygtipugbvafuqteshlwergnseztyd.orc ittaen.exe -
Drops file in Windows directory 25 IoCs
description ioc Process File opened for modification C:\Windows\xxmibzzrhekpfvvcqmlla.exe avbhxuykkfl.exe File opened for modification C:\Windows\opfcwvwpgelrizaixuuvli.exe avbhxuykkfl.exe File opened for modification C:\Windows\xxmibzzrhekpfvvcqmlla.exe ittaen.exe File opened for modification C:\Windows\upzqexsfqijjufac.exe ittaen.exe File created C:\Windows\zdwwtvzvpqajdxbmeehle.bdh ittaen.exe File opened for modification C:\Windows\khtmcxujwqtvivswha.exe avbhxuykkfl.exe File opened for modification C:\Windows\ihvqifevkglpetsylged.exe ittaen.exe File opened for modification C:\Windows\bxiapjftfyabnzvyi.exe ittaen.exe File opened for modification C:\Windows\khtmcxujwqtvivswha.exe ittaen.exe File opened for modification C:\Windows\xxmibzzrhekpfvvcqmlla.exe ittaen.exe File opened for modification C:\Windows\zdwwtvzvpqajdxbmeehle.bdh ittaen.exe File opened for modification C:\Windows\vtgarnlbpkorftrwicz.exe avbhxuykkfl.exe File opened for modification C:\Windows\upzqexsfqijjufac.exe ittaen.exe File opened for modification C:\Windows\bxiapjftfyabnzvyi.exe ittaen.exe File opened for modification C:\Windows\khtmcxujwqtvivswha.exe ittaen.exe File opened for modification C:\Windows\vtgarnlbpkorftrwicz.exe ittaen.exe File opened for modification C:\Windows\opfcwvwpgelrizaixuuvli.exe ittaen.exe File opened for modification C:\Windows\vtgarnlbpkorftrwicz.exe ittaen.exe File created C:\Windows\ujnygtipugbvafuqteshlwergnseztyd.orc ittaen.exe File opened for modification C:\Windows\ihvqifevkglpetsylged.exe avbhxuykkfl.exe File opened for modification C:\Windows\bxiapjftfyabnzvyi.exe avbhxuykkfl.exe File opened for modification C:\Windows\ihvqifevkglpetsylged.exe ittaen.exe File opened for modification C:\Windows\opfcwvwpgelrizaixuuvli.exe ittaen.exe File opened for modification C:\Windows\ujnygtipugbvafuqteshlwergnseztyd.orc ittaen.exe File opened for modification C:\Windows\upzqexsfqijjufac.exe avbhxuykkfl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ittaen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ittaen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language avbhxuykkfl.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 3292 ittaen.exe 3292 ittaen.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 3292 ittaen.exe 3292 ittaen.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3292 ittaen.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4592 wrote to memory of 1060 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 82 PID 4592 wrote to memory of 1060 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 82 PID 4592 wrote to memory of 1060 4592 18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe 82 PID 1060 wrote to memory of 652 1060 avbhxuykkfl.exe 87 PID 1060 wrote to memory of 652 1060 avbhxuykkfl.exe 87 PID 1060 wrote to memory of 652 1060 avbhxuykkfl.exe 87 PID 1060 wrote to memory of 3292 1060 avbhxuykkfl.exe 88 PID 1060 wrote to memory of 3292 1060 avbhxuykkfl.exe 88 PID 1060 wrote to memory of 3292 1060 avbhxuykkfl.exe 88 -
System policy modification 1 TTPs 34 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ittaen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ittaen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" avbhxuykkfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" avbhxuykkfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" avbhxuykkfl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ittaen.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ittaen.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe"C:\Users\Admin\AppData\Local\Temp\18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\avbhxuykkfl.exe"C:\Users\Admin\AppData\Local\Temp\avbhxuykkfl.exe" "c:\users\admin\appdata\local\temp\18fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277n.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\ittaen.exe"C:\Users\Admin\AppData\Local\Temp\ittaen.exe" "-C:\Users\Admin\AppData\Local\Temp\upzqexsfqijjufac.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:652
-
-
C:\Users\Admin\AppData\Local\Temp\ittaen.exe"C:\Users\Admin\AppData\Local\Temp\ittaen.exe" "-C:\Users\Admin\AppData\Local\Temp\upzqexsfqijjufac.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3292
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5e42c045839f151ab09163b2849c1e806
SHA1b67c67305a7da29f85df309132246c039b06b2f2
SHA256d7bebf53b989ba410089ad990777f08a8e3cb170c7780454bda2efbdab881332
SHA512cbba511279713c7533a7121e44a824a3720213136f9b8ad33644c590194dccad2a11f392c00b94d7e9043ef962b9378fddf5e0261d61b7568fe3b0a0d1fe0adc
-
Filesize
280B
MD5b990a2748f4b88cedb0798ed57a6226f
SHA159d8f66f264365064fd73e524553082a812f267c
SHA25662a03424bc4f48dbde3b6bdca5e36087e2762a29f6af10de285ace6e0ff89c95
SHA512597b198617768f12512dbfe6ba4666de441b21f9678c8f9ca25856655a48d4f5a9386961c2df5b48944f20c38be42325d9e29b6a8c2c8f3ac329b93c954f916f
-
Filesize
280B
MD5053844bf897e705c9cc613c8696c0842
SHA189bc7e386817b46125a38dfdc1d69648fa036cf5
SHA256a3978fc29ce6d6b9cf4fc78b98a7e166fccf6253132cd50e17639dfa40b9a1a1
SHA512f61733e7ae1a4a0778495294ffeb027a368a0d5dd2229d4c9c6d9935b79e6d7b6bac1212946cdb5fd2a8320717be33fed0eeda20917bd26dcabc7f69247dc6db
-
Filesize
280B
MD5c927b322707276829d4f83abbf4fa3b6
SHA1001ebdadbceebf8106f67bb696b084ed5dc37724
SHA256a6d6aeb022e335e3793687cb399e1d3491003165a9d37750c1828d57979b4132
SHA512a69e001402c0dadc543157f05550b46977dab75e41c222456cc8d842b2a1f4ba930570fc336735af495b0f01c08b75f0fd4b282f3eb3aec0f1ca1e1ac926de7a
-
Filesize
280B
MD53bec04f9ba094b0d0d2d08fccda858c1
SHA183c72dbbba728596dd93e6f8b36f3d442cfd40ab
SHA256150a8bb072c6b2aae5ef37cc7c5f2f292956af885075d378c1584e76fc133894
SHA512125394a348a0f64084e75c2cfa4c0951132ec1a980f81eb72308a1c610279902d6ca8a8ec8184071f001c0cb169aecbccaf6a90144e6741dc7b1230e0aefce31
-
Filesize
320KB
MD5cf1fbf7a36a088cc9a6e996cf91421f2
SHA13add43d0e6d9ce15599bfcc4f0f37413eb124e98
SHA25647acd9b1f38538ca3445d837c1a26f99046bb4f443a1023a810ff5c190d7b1ff
SHA5128cd569ced88e849d3b4c80f607cd1ae21fe6f9b0b4c7d327fc574f98a511f006363d45b0da28e5fc7c20494671edae9003e695d5883a4a774e160654214589ff
-
Filesize
708KB
MD58952b6682b1cc6734c500eea2e76cc03
SHA1b2996bafbfedc7b91ea322f0883478be7f0af9bd
SHA2560459704bf200f2d7efc873020d46654b7cd934fd7d27ea96f689f0776c7a740b
SHA512576d12ef027acea64a7e9919c881f6906ed94b069970836e911e0e4beb6be085caea574d236488cc907e375105e1b8962342a1a663ecb9e4118963ee4cfa7caa
-
Filesize
4KB
MD5b385d624f219b74bc99f5d46f7e3ed1c
SHA1d2b00bd9c033bd4eff3a61290f9ee5e74c3b9529
SHA25644213c4a353591ea11c53e5033e8b9f18003e7f9066cbbf620aa53a4bd577eaa
SHA5121d6fd8991f37d67bfd64705f97c9f1a58f2033034edbedb3f5d2611bb7dfcdf3e4206d629935ff37e6bed959e7acf69504c09b859123121c0e7ebf56df381e16
-
Filesize
280B
MD5e061f70581af6a5128ea572de6347545
SHA1d98db62407a6b0ad9cb6db063e0b584414331bbd
SHA256b6259aaaca0087024bd091e6d468548e7547b5a2eb1f35368adc457b3d38bbfa
SHA512c0ae8ae81e86fadc43efb9e9d9aebf4180d39208916917195b6e2a9ae8f5722810b5c11334349d0c17458b247c7b377bb53e0e081c5579d2a961c77147b4259f
-
Filesize
1016KB
MD5033277c330873b005d0b593011a48780
SHA1e37535d32d6a8104d33107d39a1e93685bfe5117
SHA25618fe37fd8b64145b123d5b9498ebc1ee36116e4e9c58e02293f273fdc7957277
SHA51280435c29cbc80d99829511fc3c9b1819ad2f1f21c36e450b80854ba24d13a4583d43348ef155f7c369fce4bdb4585350640100fc76477ce56e95cb4b810568b2