Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 01:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe
-
Size
1.3MB
-
MD5
9da793b606f0e48141a94caa8eae97f9
-
SHA1
f459ba585097b971445e92dae8077c4c60e1d7c7
-
SHA256
8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153
-
SHA512
8d74a7fa050414e4d93f393a7253cfa23fd62de1fe424e574f6a96bc4be3a79664d3ff1473fe4807936b0105b24b836b98f39ce6c205088e815f1ec57032cba9
-
SSDEEP
12288:iVgvmzFHi0mo5aH0qMzd5807FAPJQPDHvd:iVgvOHi0mGaH0qSdPFS4V
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" eflsr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe -
Adds policy Run key to start application 2 TTPs 29 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhseitaseg = "pfawkfwyugmwinoxxnie.exe" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhseitaseg = "evrodzrurelwjprbctpmb.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfnwxfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evrodzrurelwjprbctpmb.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhseitaseg = "rfysexmmgqucmpovth.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfnwxfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evrodzrurelwjprbctpmb.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfnwxfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnewgxkiaikqyzwb.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfnwxfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnewgxkiaikqyzwb.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfnwxfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivngrjxwpybirtrxu.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfnwxfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfawkfwyugmwinoxxnie.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhseitaseg = "crlgtndezkpyjnnvujd.exe" eflsr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhseitaseg = "ivngrjxwpybirtrxu.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfnwxfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfawkfwyugmwinoxxnie.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfnwxfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crlgtndezkpyjnnvujd.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfnwxfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crlgtndezkpyjnnvujd.exe" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhseitaseg = "bnewgxkiaikqyzwb.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhseitaseg = "crlgtndezkpyjnnvujd.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfnwxfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivngrjxwpybirtrxu.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfnwxfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crlgtndezkpyjnnvujd.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfnwxfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfysexmmgqucmpovth.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhseitaseg = "rfysexmmgqucmpovth.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cfnwxfj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfysexmmgqucmpovth.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhseitaseg = "bnewgxkiaikqyzwb.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhseitaseg = "pfawkfwyugmwinoxxnie.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhseitaseg = "pfawkfwyugmwinoxxnie.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhseitaseg = "ivngrjxwpybirtrxu.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhseitaseg = "evrodzrurelwjprbctpmb.exe" eflsr.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eflsr.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eflsr.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe -
Executes dropped EXE 2 IoCs
pid Process 1052 eflsr.exe 2992 eflsr.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power eflsr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend eflsr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc eflsr.exe -
Loads dropped DLL 4 IoCs
pid Process 1852 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe 1852 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe 1852 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe 1852 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tdsiqfqmciimsr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crlgtndezkpyjnnvujd.exe" eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbociveymqoq = "rfysexmmgqucmpovth.exe ." eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\rveoqzeu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfysexmmgqucmpovth.exe" eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdpchtbuhkh = "crlgtndezkpyjnnvujd.exe" eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdpchtbuhkh = "ivngrjxwpybirtrxu.exe" eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\inxilvbsd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnewgxkiaikqyzwb.exe ." eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\inxilvbsd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfawkfwyugmwinoxxnie.exe ." eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\inxilvbsd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfawkfwyugmwinoxxnie.exe ." eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rveoqzeu = "bnewgxkiaikqyzwb.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rveoqzeu = "crlgtndezkpyjnnvujd.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\inxilvbsd = "evrodzrurelwjprbctpmb.exe ." eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdpchtbuhkh = "ivngrjxwpybirtrxu.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sbpelzjetyxaf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnewgxkiaikqyzwb.exe ." eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tdsiqfqmciimsr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivngrjxwpybirtrxu.exe" eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\inxilvbsd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evrodzrurelwjprbctpmb.exe ." 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rveoqzeu = "ivngrjxwpybirtrxu.exe" eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdpchtbuhkh = "pfawkfwyugmwinoxxnie.exe" eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\rveoqzeu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfawkfwyugmwinoxxnie.exe" eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\rveoqzeu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivngrjxwpybirtrxu.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sbpelzjetyxaf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfawkfwyugmwinoxxnie.exe ." eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rveoqzeu = "rfysexmmgqucmpovth.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rveoqzeu = "bnewgxkiaikqyzwb.exe" eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbociveymqoq = "bnewgxkiaikqyzwb.exe ." 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tdsiqfqmciimsr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnewgxkiaikqyzwb.exe" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbociveymqoq = "bnewgxkiaikqyzwb.exe ." eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdpchtbuhkh = "evrodzrurelwjprbctpmb.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rveoqzeu = "rfysexmmgqucmpovth.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tdsiqfqmciimsr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crlgtndezkpyjnnvujd.exe" eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\inxilvbsd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfysexmmgqucmpovth.exe ." eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdpchtbuhkh = "evrodzrurelwjprbctpmb.exe" eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdpchtbuhkh = "rfysexmmgqucmpovth.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tdsiqfqmciimsr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evrodzrurelwjprbctpmb.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\inxilvbsd = "rfysexmmgqucmpovth.exe ." eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbociveymqoq = "evrodzrurelwjprbctpmb.exe ." eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tdsiqfqmciimsr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evrodzrurelwjprbctpmb.exe" eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbociveymqoq = "ivngrjxwpybirtrxu.exe ." eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tdsiqfqmciimsr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfysexmmgqucmpovth.exe" eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\inxilvbsd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crlgtndezkpyjnnvujd.exe ." eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\inxilvbsd = "rfysexmmgqucmpovth.exe ." 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdpchtbuhkh = "crlgtndezkpyjnnvujd.exe" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\inxilvbsd = "crlgtndezkpyjnnvujd.exe ." eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\tdsiqfqmciimsr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pfawkfwyugmwinoxxnie.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\inxilvbsd = "bnewgxkiaikqyzwb.exe ." eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\inxilvbsd = "pfawkfwyugmwinoxxnie.exe ." eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rveoqzeu = "ivngrjxwpybirtrxu.exe" eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\rveoqzeu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivngrjxwpybirtrxu.exe" eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\rveoqzeu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfysexmmgqucmpovth.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\inxilvbsd = "ivngrjxwpybirtrxu.exe ." eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sbpelzjetyxaf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evrodzrurelwjprbctpmb.exe ." eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wdpchtbuhkh = "rfysexmmgqucmpovth.exe" eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\rveoqzeu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crlgtndezkpyjnnvujd.exe" eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\inxilvbsd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evrodzrurelwjprbctpmb.exe ." eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rveoqzeu = "crlgtndezkpyjnnvujd.exe" eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbociveymqoq = "crlgtndezkpyjnnvujd.exe ." eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\rveoqzeu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crlgtndezkpyjnnvujd.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sbpelzjetyxaf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rfysexmmgqucmpovth.exe ." 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sbpelzjetyxaf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\crlgtndezkpyjnnvujd.exe ." eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\rveoqzeu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\evrodzrurelwjprbctpmb.exe" eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sbpelzjetyxaf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivngrjxwpybirtrxu.exe ." eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbociveymqoq = "pfawkfwyugmwinoxxnie.exe ." eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sbpelzjetyxaf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnewgxkiaikqyzwb.exe ." eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\sbpelzjetyxaf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ivngrjxwpybirtrxu.exe ." eflsr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\inxilvbsd = "crlgtndezkpyjnnvujd.exe ." eflsr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbociveymqoq = "ivngrjxwpybirtrxu.exe ." eflsr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eflsr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eflsr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 whatismyipaddress.com 3 whatismyip.everdot.org 4 www.showmyipaddress.com 10 www.whatismyip.ca -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\gbbcvvryzqbqhrxlqllmf.bij eflsr.exe File created C:\Windows\SysWOW64\gbbcvvryzqbqhrxlqllmf.bij eflsr.exe File opened for modification C:\Windows\SysWOW64\bhseitasegccezqpflwimxewikggidut.pam eflsr.exe File created C:\Windows\SysWOW64\bhseitasegccezqpflwimxewikggidut.pam eflsr.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\gbbcvvryzqbqhrxlqllmf.bij eflsr.exe File opened for modification C:\Program Files (x86)\bhseitasegccezqpflwimxewikggidut.pam eflsr.exe File created C:\Program Files (x86)\bhseitasegccezqpflwimxewikggidut.pam eflsr.exe File opened for modification C:\Program Files (x86)\gbbcvvryzqbqhrxlqllmf.bij eflsr.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\bhseitasegccezqpflwimxewikggidut.pam eflsr.exe File created C:\Windows\bhseitasegccezqpflwimxewikggidut.pam eflsr.exe File opened for modification C:\Windows\gbbcvvryzqbqhrxlqllmf.bij eflsr.exe File created C:\Windows\gbbcvvryzqbqhrxlqllmf.bij eflsr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eflsr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eflsr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe 1052 eflsr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1052 eflsr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1852 wrote to memory of 1052 1852 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe 28 PID 1852 wrote to memory of 1052 1852 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe 28 PID 1852 wrote to memory of 1052 1852 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe 28 PID 1852 wrote to memory of 1052 1852 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe 28 PID 1852 wrote to memory of 2992 1852 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe 29 PID 1852 wrote to memory of 2992 1852 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe 29 PID 1852 wrote to memory of 2992 1852 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe 29 PID 1852 wrote to memory of 2992 1852 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe 29 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" eflsr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" eflsr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System eflsr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" eflsr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe"C:\Users\Admin\AppData\Local\Temp\8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\eflsr.exe"C:\Users\Admin\AppData\Local\Temp\eflsr.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1052
-
-
C:\Users\Admin\AppData\Local\Temp\eflsr.exe"C:\Users\Admin\AppData\Local\Temp\eflsr.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- System policy modification
PID:2992
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5a017fad19822e50cc015558cd8397641
SHA1388fcbabd65289e11712ad3d9f017121df79c2e2
SHA256cd7bb9dd7b15d6c4ab6eb3c0856d1d7579172ffde56213c66bf073e5c6643b45
SHA5124bc3f04db81c72e15aa30fa7e0bf858d7cad254b89ff24b92a6346030383d7c97db595ae9834c8eec16e2c7f5ac3b7c335b58cfdbadc90bd50feb3ce292749fb
-
Filesize
280B
MD52d21da57fd9f39a8c7fc1ce2d4bfa7d2
SHA16f93eaede09488d0204e0231aaa9e405523f83b0
SHA256be599804091fc662b6d9185116b53bf0af97abad03a4942e50bf3aa66910288e
SHA512d677d8420fe7830af673271ef30e682e696da664057c1899ca89f0ebcb055cfb3abf8c602b4a681fab8db61e6d318e6d68d10777c6ab434bb37a2721b345adea
-
Filesize
280B
MD58316469f5270e459efc6c5ba0b8bfcff
SHA13ce56ea9e2acd84562ef78efe5c9efd19374c8e9
SHA25653ce4e2681e36070d98da532802e6adc8f77342596d059e88f2b4d7f1c8eabca
SHA5129ac096058eadaa55f6dfcad879d094c73e02b70456acdfa3a081bc5955c25e24ac6037d564f1d1870e3882c4dcafab669dfa58476fb2e048c6886250595b9581
-
Filesize
280B
MD55c43e238e2e22b69e84c2cceea6e2d2e
SHA11cbc1c35a59a3742204a4a0eb734f8def1825919
SHA256d04340d8b3ca6d16d8477d5811df5e3dc93618f15cbb200d5830314b11c00c60
SHA512624a0b14beaa65ef8d0c5f235f828c7eb75c2ccd14f0837862771c84418bccd8ce1f6d53eaa1e56b061569ec67be086dd81b6d5c43f35fbf998f05a03e21cee3
-
Filesize
4KB
MD594ee2791bc6a0987b49fed38854c6a09
SHA1a295eb3e0bf0bf434ce06b0300b411d7a592a6c0
SHA25671a1e63771589d23b8e60f27f6788f1d4b9a3bbed3dee919e1609b6af4bb061f
SHA512c490d8bfb4c5e7728608cf7287713476575da1e6a94e42f04b9610bfd125af12fff44516f5df6b18502a0f9aa954e53d8cd316f3df09728f209a020535350e50
-
Filesize
280B
MD50650e2c70dd6ac3abf71b94c109cf11e
SHA1a6d83637f928c69cd0e442f65fcb65d9f649d618
SHA256b07f390da3716905766796ded9497b7eaf0d476bf7123c4736b5b0aa4e29d8d5
SHA512b9c0d896bfd2ba80683af7443b029d9723e8506d93493aef5c5c7c2fa391f4bdc5bb0534ca2effef782e5167293ddfd987345d3f6dceea7125f281c9c74ffebf
-
Filesize
2.0MB
MD59043992b68e3bdcaac3a0db18398136b
SHA1bd3169b77bf74f2fdb1b3b6c4dd9939fa588992d
SHA256d5cf9c2f13d5fabf5460b3093b984b93b7919a657d0ad78c5ce504abf2756d88
SHA51276a0d73a0ce542bf2e2c1374acc3c7d3a8a1662a6d10585dc1cd4a23d5b22d7672b1a37fbb7c32b93ffd9fd4ae4344de40435ee07b3cdcb35ea4fd53fec24374