Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 01:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe
-
Size
704KB
-
MD5
906593a62b364af3cbebf6d28d595531
-
SHA1
97f124e6394796b8020e5162b04cafcc6ebdf11a
-
SHA256
93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7
-
SHA512
cb419c171cdeb5f034e35f7337dee26718b47c6cc55b167e4da79210f34cfa28e843b5a65a5260d9ce96a5a1688d8fdf2d57f4c44d56a8d667ea46ba9b451bd2
-
SSDEEP
12288:mXgvmzFHi0mo5aH0qMzd5807FIjPJQPDHvd:mXgvOHi0mGaH0qSdPFIl4V
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cijpwgl.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cijpwgl.exe -
Adds policy Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wglvgudqgjv = "bqapfymezhyqllya.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wglvgudqgjv = "eynhcatqqdzwwbtaqxrga.exe" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wglvgudqgjv = "cuhzsofayjdywzpuinf.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ryahpagq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piwpjgyutfawvzqwlrky.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wglvgudqgjv = "piwpjgyutfawvzqwlrky.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ryahpagq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iyjzqkzsoxpieftwi.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wglvgudqgjv = "bqapfymezhyqllya.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ryahpagq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\riuldyoifpiczbquhl.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ryahpagq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\riuldyoifpiczbquhl.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ryahpagq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piwpjgyutfawvzqwlrky.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wglvgudqgjv = "eynhcatqqdzwwbtaqxrga.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wglvgudqgjv = "riuldyoifpiczbquhl.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ryahpagq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\riuldyoifpiczbquhl.exe" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wglvgudqgjv = "eynhcatqqdzwwbtaqxrga.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ryahpagq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqapfymezhyqllya.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ryahpagq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqapfymezhyqllya.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ryahpagq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eynhcatqqdzwwbtaqxrga.exe" cijpwgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ryahpagq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuhzsofayjdywzpuinf.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wglvgudqgjv = "iyjzqkzsoxpieftwi.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wglvgudqgjv = "iyjzqkzsoxpieftwi.exe" cijpwgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cijpwgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wglvgudqgjv = "riuldyoifpiczbquhl.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wglvgudqgjv = "riuldyoifpiczbquhl.exe" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wglvgudqgjv = "cuhzsofayjdywzpuinf.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ryahpagq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eynhcatqqdzwwbtaqxrga.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\wglvgudqgjv = "piwpjgyutfawvzqwlrky.exe" cijpwgl.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cijpwgl.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cijpwgl.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe -
Executes dropped EXE 2 IoCs
pid Process 4788 cijpwgl.exe 4704 cijpwgl.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager cijpwgl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys cijpwgl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc cijpwgl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power cijpwgl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys cijpwgl.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc cijpwgl.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wkthwobsmtjautf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eynhcatqqdzwwbtaqxrga.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wkthwobsmtjautf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqapfymezhyqllya.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wkthwobsmtjautf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piwpjgyutfawvzqwlrky.exe" cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iqtbkwdoc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqapfymezhyqllya.exe" cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bkoxhucodf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\riuldyoifpiczbquhl.exe ." cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bkoxhucodf = "bqapfymezhyqllya.exe ." cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wkthwobsmtjautf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuhzsofayjdywzpuinf.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqtbkwdoc = "eynhcatqqdzwwbtaqxrga.exe" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\selxkalasxlas = "eynhcatqqdzwwbtaqxrga.exe ." cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bkoxhucodf = "cuhzsofayjdywzpuinf.exe ." cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgobpgsibhwmfd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piwpjgyutfawvzqwlrky.exe ." cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wkthwobsmtjautf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuhzsofayjdywzpuinf.exe" cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\selxkalasxlas = "eynhcatqqdzwwbtaqxrga.exe ." cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iqtbkwdoc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piwpjgyutfawvzqwlrky.exe" cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\selxkalasxlas = "cuhzsofayjdywzpuinf.exe ." cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tekvhwgulpcq = "eynhcatqqdzwwbtaqxrga.exe" cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\selxkalasxlas = "riuldyoifpiczbquhl.exe ." cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iqtbkwdoc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piwpjgyutfawvzqwlrky.exe" cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\selxkalasxlas = "iyjzqkzsoxpieftwi.exe ." cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iqtbkwdoc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuhzsofayjdywzpuinf.exe" cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tekvhwgulpcq = "piwpjgyutfawvzqwlrky.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgobpgsibhwmfd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuhzsofayjdywzpuinf.exe ." 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wkthwobsmtjautf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iyjzqkzsoxpieftwi.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqtbkwdoc = "iyjzqkzsoxpieftwi.exe" cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iqtbkwdoc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eynhcatqqdzwwbtaqxrga.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bkoxhucodf = "riuldyoifpiczbquhl.exe ." cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqtbkwdoc = "eynhcatqqdzwwbtaqxrga.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqtbkwdoc = "iyjzqkzsoxpieftwi.exe" cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\selxkalasxlas = "piwpjgyutfawvzqwlrky.exe ." cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bkoxhucodf = "eynhcatqqdzwwbtaqxrga.exe ." cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wkthwobsmtjautf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\riuldyoifpiczbquhl.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgobpgsibhwmfd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\riuldyoifpiczbquhl.exe ." cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bkoxhucodf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqapfymezhyqllya.exe ." cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bkoxhucodf = "bqapfymezhyqllya.exe ." cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bkoxhucodf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iyjzqkzsoxpieftwi.exe ." cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\selxkalasxlas = "bqapfymezhyqllya.exe ." cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wkthwobsmtjautf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piwpjgyutfawvzqwlrky.exe" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wkthwobsmtjautf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqapfymezhyqllya.exe" cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bkoxhucodf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuhzsofayjdywzpuinf.exe ." cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bkoxhucodf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piwpjgyutfawvzqwlrky.exe ." cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bkoxhucodf = "piwpjgyutfawvzqwlrky.exe ." cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgobpgsibhwmfd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eynhcatqqdzwwbtaqxrga.exe ." cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tekvhwgulpcq = "iyjzqkzsoxpieftwi.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgobpgsibhwmfd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iyjzqkzsoxpieftwi.exe ." cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqtbkwdoc = "riuldyoifpiczbquhl.exe" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqtbkwdoc = "piwpjgyutfawvzqwlrky.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wkthwobsmtjautf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piwpjgyutfawvzqwlrky.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgobpgsibhwmfd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\piwpjgyutfawvzqwlrky.exe ." cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgobpgsibhwmfd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqapfymezhyqllya.exe ." cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bkoxhucodf = "piwpjgyutfawvzqwlrky.exe ." cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tekvhwgulpcq = "cuhzsofayjdywzpuinf.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wkthwobsmtjautf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\riuldyoifpiczbquhl.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgobpgsibhwmfd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\riuldyoifpiczbquhl.exe ." cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bkoxhucodf = "cuhzsofayjdywzpuinf.exe ." cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iqtbkwdoc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eynhcatqqdzwwbtaqxrga.exe" cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iqtbkwdoc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iyjzqkzsoxpieftwi.exe" cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tekvhwgulpcq = "piwpjgyutfawvzqwlrky.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bkoxhucodf = "iyjzqkzsoxpieftwi.exe ." 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tekvhwgulpcq = "bqapfymezhyqllya.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bkoxhucodf = "eynhcatqqdzwwbtaqxrga.exe ." cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bkoxhucodf = "riuldyoifpiczbquhl.exe ." cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tekvhwgulpcq = "riuldyoifpiczbquhl.exe" cijpwgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bkoxhucodf = "iyjzqkzsoxpieftwi.exe ." cijpwgl.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tekvhwgulpcq = "bqapfymezhyqllya.exe" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cijpwgl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cijpwgl.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cijpwgl.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" cijpwgl.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 27 whatismyipaddress.com 32 whatismyip.everdot.org 34 www.whatismyip.ca 40 whatismyip.everdot.org 15 www.whatismyip.ca 16 www.showmyipaddress.com -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\vywzdkmsbxcirfgwvlomptacir.syh cijpwgl.exe File opened for modification C:\Windows\SysWOW64\wkthwobsmtjautfgqrfocrjwnhoevpoablmaj.mer cijpwgl.exe File created C:\Windows\SysWOW64\wkthwobsmtjautfgqrfocrjwnhoevpoablmaj.mer cijpwgl.exe File opened for modification C:\Windows\SysWOW64\vywzdkmsbxcirfgwvlomptacir.syh cijpwgl.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\vywzdkmsbxcirfgwvlomptacir.syh cijpwgl.exe File opened for modification C:\Program Files (x86)\wkthwobsmtjautfgqrfocrjwnhoevpoablmaj.mer cijpwgl.exe File created C:\Program Files (x86)\wkthwobsmtjautfgqrfocrjwnhoevpoablmaj.mer cijpwgl.exe File opened for modification C:\Program Files (x86)\vywzdkmsbxcirfgwvlomptacir.syh cijpwgl.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\vywzdkmsbxcirfgwvlomptacir.syh cijpwgl.exe File created C:\Windows\vywzdkmsbxcirfgwvlomptacir.syh cijpwgl.exe File opened for modification C:\Windows\wkthwobsmtjautfgqrfocrjwnhoevpoablmaj.mer cijpwgl.exe File created C:\Windows\wkthwobsmtjautfgqrfocrjwnhoevpoablmaj.mer cijpwgl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cijpwgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cijpwgl.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings cijpwgl.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings cijpwgl.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 4788 cijpwgl.exe 4788 cijpwgl.exe 4788 cijpwgl.exe 4788 cijpwgl.exe 4788 cijpwgl.exe 4788 cijpwgl.exe 4788 cijpwgl.exe 4788 cijpwgl.exe 4788 cijpwgl.exe 4788 cijpwgl.exe 4788 cijpwgl.exe 4788 cijpwgl.exe 4788 cijpwgl.exe 4788 cijpwgl.exe 4788 cijpwgl.exe 4788 cijpwgl.exe 4788 cijpwgl.exe 4788 cijpwgl.exe 4788 cijpwgl.exe 4788 cijpwgl.exe 4788 cijpwgl.exe 4788 cijpwgl.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4704 cijpwgl.exe 4788 cijpwgl.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4788 cijpwgl.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2304 wrote to memory of 4788 2304 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe 84 PID 2304 wrote to memory of 4788 2304 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe 84 PID 2304 wrote to memory of 4788 2304 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe 84 PID 2304 wrote to memory of 4704 2304 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe 85 PID 2304 wrote to memory of 4704 2304 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe 85 PID 2304 wrote to memory of 4704 2304 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe 85 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" cijpwgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cijpwgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" cijpwgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" cijpwgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cijpwgl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cijpwgl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe"C:\Users\Admin\AppData\Local\Temp\93c55deeee3cd963b82fea8d32b0848f35bb4679921045b07f8116c21c6634b7.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\cijpwgl.exe"C:\Users\Admin\AppData\Local\Temp\cijpwgl.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4788
-
-
C:\Users\Admin\AppData\Local\Temp\cijpwgl.exe"C:\Users\Admin\AppData\Local\Temp\cijpwgl.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:4704
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4540
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD551938a127752866f56d948d32ff8a74f
SHA180324c2d46c704ff4cce9391127609987fe07192
SHA256f679d760bf3bc78acaeda81aa3d90c3b5d9ee56024b2f576ccec2d09b2329be6
SHA51253a0d16ca6882a716109d7b65d9394c4a031eac6d56cd3eaffc171f0a4f31d56631de75fd22d3e85a75e315aa76a7e119b451312014e0f96a94111dd3f7fd08b
-
Filesize
280B
MD53eb8b70e848a7abb97ff0fbe345b11ee
SHA12c2b436453bbf82c0935aaa023924a7e60dafd22
SHA256e4feae5ced19508bee1ecb5f9cabdf10e0f6adbf54524839761ce75799f6c346
SHA5121a7714c78ee88e6652d6e851a1b203e856cc67d8ba742681ed20573878a04e87a449f54041214000e9134833df19918360bbdccc2dc77913ac0e77cc65af568e
-
Filesize
280B
MD59173f30ab3aa68ff28e8ffa64f0b16df
SHA17354bbf65c420528b86c18e06188f9b7f673a6f0
SHA25668b4e277a5c3820ab55946b6a83bcc6d32903b421ac098bac110c5f6c720e9cf
SHA512d1738ba9e0320b440ddf6c0fe079a8cb67d07caf52793ff06c8a20cde7a878f4d6cea51690559cd5564a4c3ece0a64c6390ccdc3b627d3dd0f92890ec975af98
-
Filesize
280B
MD508a0a9c674c62e0ed9a3a7fa5e8ec95e
SHA182dfd2f45549791b884b0b0caf29f3381ff8e8f9
SHA256e021963869cc224b2702ca8b5cf90d061848edbb27ab98b7e89e0edca611fb2f
SHA51263a824a3d2bd7e5157df7bb4d7ba4a9c387a6dc9231be2a6e74cff423b24e324ec7068bb781633de8196cc8d9e16ef7d471ea999bc4700ca36f9e4ba37f29425
-
Filesize
280B
MD5463015339840cf1f978301ce6f8cd51a
SHA143147e0e1dac835dc8e3fb6b7a0c6241c6b02f0c
SHA2567c650c517f86bf04e244c044c257ddcf8ee43921e64747314a6cf4b6d34d5ad9
SHA5121f5e326cd76f7a76cf20d012ae7594cee38920d5886573206862eebc9fe8d033201bcd644fc9ead3eb19efe4876613998697c9558f72263ae1fe71b679e2a47a
-
Filesize
1.3MB
MD537fbc066ac7dabb1e7a3f25b7202cf7e
SHA1d4cbda0121a2ca5f0254a55d96ab480bf8bbb01a
SHA25602f5344738d9cb49ea343453be7ae4d0ac5bb8554d18876cb062367d243b9dbf
SHA51235c1d423d35fd4d2d7ebb451da0851621476897892f577224b89b24b438704a8b2bac40309acfd47aa092828fa4fbda33c9c9b2f1fd4edf8dd982d759d0417e6
-
Filesize
280B
MD5bb7e5f99c6242c673dfa414bf688cdce
SHA1f6395e326427c9e233a4d11e60cec4125ff6a77f
SHA256fb964925da65c33657375190223307ed649545dc70e88345459465e821e7ebdc
SHA512f5495ea86de82ce4ea5695dc620b1804e9356a2c28c41edcfe53d18779c55f3d3befd6a06ef453f47e86d1055d181cdcdc4dbc2c723849ad04af43fefcb4aa64
-
Filesize
280B
MD5cb5551abb0cc4522cbdf97d1a1a27650
SHA1969f54c36523b0fa3716ef908f214e85a583d0e5
SHA2567dd5fcfb74595463cd5426d0bae7bd3569828dd97208a6a0026bf886e7dfd85d
SHA51202cf0988f58afa4b63f481f61e3e72442ae6036efd5ff362d2f5b9a0717cb8c9127ad0145a27d0a9d45809f71a3413c5b21552d10e9ac233c221300280cde64b
-
Filesize
280B
MD52eb38499822f7c8be3867719e20afcfc
SHA14e0c16a1556b8e26df722bbe1e6b5c2a6ecd7b60
SHA2561ac5dc1bfb5ba5bd3c0197fe07248147e6bd691618e62eab1a9fb1ff2a2977cb
SHA5121b482c60f570de7ba5b7cd91fea2b604dd8c26ce0c5c0dd9654d9bc9a7727d83b366a92dad9c9a5a02a0e333f4ac3bd86e736593ab8fe321e1a6f16e556530ae
-
Filesize
4KB
MD59d8c29cfe8554657a3d054e09bc94b63
SHA1ee4341fbc8cafbd730c9e63db773566ad465b04d
SHA256c8ecabb13c818e027b164d179aa607d910d0835a7a6200d08bcf72b3dc5a2d32
SHA5128e50e81007db44dc4619ae812ccceb591abf85f4cc194e8b698a1ea5b16f9a76e2c88b1c27973642729444e917695c5c020e19508837d972af0f63578bca7e97