Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 01:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe
-
Size
1.3MB
-
MD5
9da793b606f0e48141a94caa8eae97f9
-
SHA1
f459ba585097b971445e92dae8077c4c60e1d7c7
-
SHA256
8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153
-
SHA512
8d74a7fa050414e4d93f393a7253cfa23fd62de1fe424e574f6a96bc4be3a79664d3ff1473fe4807936b0105b24b836b98f39ce6c205088e815f1ec57032cba9
-
SSDEEP
12288:iVgvmzFHi0mo5aH0qMzd5807FAPJQPDHvd:iVgvOHi0mGaH0qSdPFS4V
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" ebkow.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ebkow.exe -
Adds policy Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxclk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzspcfysgzkhdnvgjlx.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijweqsksb = "rbxojuvmeqhqlfntcd.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxclk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzspcfysgzkhdnvgjlx.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxclk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdslutiyixexpvz.exe" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxclk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxojuvmeqhqlfntcd.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijweqsksb = "rbxojuvmeqhqlfntcd.exe" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijweqsksb = "rbxojuvmeqhqlfntcd.exe" ebkow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijweqsksb = "bjdslutiyixexpvz.exe" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijweqsksb = "irmcwggwnyowqjqvd.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijweqsksb = "pbzspcfysgzkhdnvgjlx.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxclk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcwggwnyowqjqvd.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijweqsksb = "bjdslutiyixexpvz.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxclk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdslutiyixexpvz.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxclk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkiwaupeykifqzlpsfe.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxclk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkiwaupeykifqzlpsfe.exe" ebkow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijweqsksb = "cnkcykmexkcmidmtdfg.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijweqsksb = "bjdslutiyixexpvz.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxclk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkcykmexkcmidmtdfg.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxclk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdslutiyixexpvz.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxclk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkcykmexkcmidmtdfg.exe" ebkow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijweqsksb = "cnkcykmexkcmidmtdfg.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pnxclk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxojuvmeqhqlfntcd.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijweqsksb = "pbzspcfysgzkhdnvgjlx.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijweqsksb = "erqkiwaupeykifqzlpsfe.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ijweqsksb = "irmcwggwnyowqjqvd.exe" ebkow.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ebkow.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ebkow.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ebkow.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe -
Executes dropped EXE 2 IoCs
pid Process 4520 ebkow.exe 2908 ebkow.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager ebkow.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys ebkow.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc ebkow.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power ebkow.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys ebkow.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc ebkow.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnynsnykqbe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxojuvmeqhqlfntcd.exe ." ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkvwnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkiwaupeykifqzlpsfe.exe ." ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkvwnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkiwaupeykifqzlpsfe.exe ." ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rrdkvwnu = "erqkiwaupeykifqzlpsfe.exe ." 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnynsnykqbe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzspcfysgzkhdnvgjlx.exe ." 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnynsnykqbe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdslutiyixexpvz.exe ." ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbmsccs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzspcfysgzkhdnvgjlx.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rrdkvwnu = "rbxojuvmeqhqlfntcd.exe ." ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsccs = "pbzspcfysgzkhdnvgjlx.exe" ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbmsccs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxojuvmeqhqlfntcd.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoaqwserykoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkcykmexkcmidmtdfg.exe" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsccs = "cnkcykmexkcmidmtdfg.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rrdkvwnu = "cnkcykmexkcmidmtdfg.exe ." ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoaqwserykoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzspcfysgzkhdnvgjlx.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsccs = "bjdslutiyixexpvz.exe" ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdranqjscg = "erqkiwaupeykifqzlpsfe.exe" ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoymqkufku = "irmcwggwnyowqjqvd.exe ." ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rrdkvwnu = "bjdslutiyixexpvz.exe ." ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoymqkufku = "cnkcykmexkcmidmtdfg.exe ." ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoymqkufku = "pbzspcfysgzkhdnvgjlx.exe ." ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdranqjscg = "bjdslutiyixexpvz.exe" ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoymqkufku = "erqkiwaupeykifqzlpsfe.exe ." ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkvwnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcwggwnyowqjqvd.exe ." ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdranqjscg = "irmcwggwnyowqjqvd.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoaqwserykoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdslutiyixexpvz.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsccs = "pbzspcfysgzkhdnvgjlx.exe" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoaqwserykoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkcykmexkcmidmtdfg.exe" ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkvwnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdslutiyixexpvz.exe ." ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoymqkufku = "cnkcykmexkcmidmtdfg.exe ." ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoaqwserykoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkiwaupeykifqzlpsfe.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rrdkvwnu = "erqkiwaupeykifqzlpsfe.exe ." ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnynsnykqbe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bjdslutiyixexpvz.exe ." ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoaqwserykoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcwggwnyowqjqvd.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnynsnykqbe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxojuvmeqhqlfntcd.exe ." ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdranqjscg = "cnkcykmexkcmidmtdfg.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnynsnykqbe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzspcfysgzkhdnvgjlx.exe ." ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rrdkvwnu = "pbzspcfysgzkhdnvgjlx.exe ." 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdranqjscg = "rbxojuvmeqhqlfntcd.exe" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rrdkvwnu = "erqkiwaupeykifqzlpsfe.exe ." ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbmsccs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkcykmexkcmidmtdfg.exe" ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkvwnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkcykmexkcmidmtdfg.exe ." ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rrdkvwnu = "irmcwggwnyowqjqvd.exe ." ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdranqjscg = "bjdslutiyixexpvz.exe" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkvwnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pbzspcfysgzkhdnvgjlx.exe ." ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbmsccs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkiwaupeykifqzlpsfe.exe" ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkvwnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkcykmexkcmidmtdfg.exe ." ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoymqkufku = "bjdslutiyixexpvz.exe ." ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsccs = "erqkiwaupeykifqzlpsfe.exe" ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoymqkufku = "bjdslutiyixexpvz.exe ." ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsccs = "bjdslutiyixexpvz.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnynsnykqbe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcwggwnyowqjqvd.exe ." ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wzoymqkufku = "rbxojuvmeqhqlfntcd.exe ." ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsccs = "erqkiwaupeykifqzlpsfe.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnynsnykqbe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\erqkiwaupeykifqzlpsfe.exe ." ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoaqwserykoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcwggwnyowqjqvd.exe" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbmsccs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcwggwnyowqjqvd.exe" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnynsnykqbe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxojuvmeqhqlfntcd.exe ." 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bdranqjscg = "rbxojuvmeqhqlfntcd.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\txnynsnykqbe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkcykmexkcmidmtdfg.exe ." ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoaqwserykoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkcykmexkcmidmtdfg.exe" ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkvwnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rbxojuvmeqhqlfntcd.exe ." ebkow.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rrdkvwnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cnkcykmexkcmidmtdfg.exe ." 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxoaqwserykoe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\irmcwggwnyowqjqvd.exe" ebkow.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cbmsccs = "pbzspcfysgzkhdnvgjlx.exe" ebkow.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ebkow.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ebkow.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" ebkow.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 www.showmyipaddress.com 27 www.whatismyip.ca 29 whatismyip.everdot.org 32 www.whatismyip.ca 14 whatismyipaddress.com -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wdwkckiwluiogxcfljgngumusgvesyqhmpvtq.qew ebkow.exe File created C:\Windows\SysWOW64\wdwkckiwluiogxcfljgngumusgvesyqhmpvtq.qew ebkow.exe File opened for modification C:\Windows\SysWOW64\vrzcjgtwaybwdjdvqdpltwdanq.svq ebkow.exe File created C:\Windows\SysWOW64\vrzcjgtwaybwdjdvqdpltwdanq.svq ebkow.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\vrzcjgtwaybwdjdvqdpltwdanq.svq ebkow.exe File created C:\Program Files (x86)\vrzcjgtwaybwdjdvqdpltwdanq.svq ebkow.exe File opened for modification C:\Program Files (x86)\wdwkckiwluiogxcfljgngumusgvesyqhmpvtq.qew ebkow.exe File created C:\Program Files (x86)\wdwkckiwluiogxcfljgngumusgvesyqhmpvtq.qew ebkow.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\wdwkckiwluiogxcfljgngumusgvesyqhmpvtq.qew ebkow.exe File opened for modification C:\Windows\vrzcjgtwaybwdjdvqdpltwdanq.svq ebkow.exe File created C:\Windows\vrzcjgtwaybwdjdvqdpltwdanq.svq ebkow.exe File opened for modification C:\Windows\wdwkckiwluiogxcfljgngumusgvesyqhmpvtq.qew ebkow.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebkow.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebkow.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings ebkow.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings ebkow.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 4520 ebkow.exe 4520 ebkow.exe 4520 ebkow.exe 4520 ebkow.exe 4520 ebkow.exe 4520 ebkow.exe 4520 ebkow.exe 4520 ebkow.exe 4520 ebkow.exe 4520 ebkow.exe 4520 ebkow.exe 4520 ebkow.exe 4520 ebkow.exe 4520 ebkow.exe 4520 ebkow.exe 4520 ebkow.exe 4520 ebkow.exe 4520 ebkow.exe 4520 ebkow.exe 4520 ebkow.exe 4520 ebkow.exe 4520 ebkow.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2908 ebkow.exe 4520 ebkow.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4520 ebkow.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2976 wrote to memory of 4520 2976 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe 87 PID 2976 wrote to memory of 4520 2976 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe 87 PID 2976 wrote to memory of 4520 2976 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe 87 PID 2976 wrote to memory of 2908 2976 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe 88 PID 2976 wrote to memory of 2908 2976 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe 88 PID 2976 wrote to memory of 2908 2976 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe 88 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ebkow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ebkow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ebkow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ebkow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" ebkow.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" ebkow.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" ebkow.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe"C:\Users\Admin\AppData\Local\Temp\8ab5333e54b83f7e920eb51d308b5a5fd6798ca530ef683ddf6360d5c10f3153.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\ebkow.exe"C:\Users\Admin\AppData\Local\Temp\ebkow.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4520
-
-
C:\Users\Admin\AppData\Local\Temp\ebkow.exe"C:\Users\Admin\AppData\Local\Temp\ebkow.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:2908
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4848
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5a193177e97b6d4e2cb4ff08954d80c8b
SHA17503d9e1fd334ddaf38f002f52f0821a6c22201f
SHA256600b19c76bb6e10ccca70d2f0901f2b18fc776a16e25bdd0929e4c96e09526f9
SHA51240ddf19003f88e76ed8c98152af017393c80840181113847284b22fe1cd37b5484b72554b23ab9c9f5a2e605f00a48fa64e3cfa2ea4132fbfea16535b0cb92e6
-
Filesize
280B
MD5c6e104f3cf539b1331bf9fa8d26d3c0c
SHA14fc3935e447d7a709eb9daf24755f277b80bf993
SHA2562030882e3eee8f8b1d75d3f73fd316994591da304f8436c3e2628e550261a7f2
SHA51248ef4df857afdc33c2a6fa54a5a7ed3d1fa8c881e5f941a4e62327817982b81c028c119bab73487368b4f35bd105764979d2bf62d733246c9a8b911eb535ab8c
-
Filesize
280B
MD5fcf09ad4b6d2203cd224005b9a0cf155
SHA1ea0d8ef13d7e29b65e93516c26e8ac6d0ccd5612
SHA256e9b678e70bc4aedb8395dea93cdfe2cc676c778cd4f5d7acba0ae4977da9f2c4
SHA512fd331a2c43c2957ad352a1977cc9d460d12ff6d9252becbafd850028265d5f9070c4b4dc11207f0b8f494b031f56ba9c7ee58da82a9785c337dada343016bcc8
-
Filesize
280B
MD56dbe10c26a31b5780630d2377a8a752e
SHA1bef4169e7de8f16fb855974371a0d8395a20deb2
SHA2560f3571559e21a5f82d44d931f0fc2d75b4b1bdd1ebe9a31aafe7c594d4b74c0d
SHA5128a67b03384e2e14bd78d69dbc1186df50cee3ace7629066727086dcc3b924db1485e08e3b560043857a837ab108097180032438c505a248dae6eab1c14f99ee3
-
Filesize
280B
MD58f51db7b0682eef57fc433d66b910f0d
SHA1ec33a5bfee91f6a08d1dd84be650547f6432cdeb
SHA2567eb64c482e75a4872336732abfab20cccd8e8350b2ed776ffaf932e9a719ad1e
SHA5126c8d9147b5520d683851dc92de196b66173008f773eda1fa2833b413248d6dd17d299a3051d67e3a53b2fbe15f7a942554a2ad47ae3a7638d199aea61f7704f9
-
Filesize
280B
MD5d8e0ecec5c6aab8dda1b6cd22d15fc40
SHA1da786005dabea910e0552da050d1622fc3d0e70f
SHA25675b7e93beb109a4ead04e87814aa157d999920096552df92766a56621b301965
SHA5126213540df52eb150ff351b47bea5017bea96be6548e3d1e4664d4eacad8fe2a4252fbe8d20d4028a8dda9b68ec8b4f372d84236c6fb8196284f26a0a8255b479
-
Filesize
280B
MD5798122bbe1b99cbaea1550202383fbcb
SHA16ff30caac3791b723d14888284bcc7e63e4ee46c
SHA256873cf398c7ab42c54de557c86152c0c0a5badc1e6ff79ddd52096113d2aee9e2
SHA51286a369554550b0ca2e5ca89afd3e2c545f495fc3f7dfc1b4aa9df594c1a3ffe3b5334530f5e352cbc142bc6f09469c19e4af1faeb6d3766a5302e61700d2b1c4
-
Filesize
2.1MB
MD5ae99fbc4f42b915c4521cde77c78d2d0
SHA1da72c11da8a591d29381fd8844680a43c4ba8749
SHA2560797801f0f2616d4318db710e92d64e4bd6578596a9f011ea4b811719350e87b
SHA5120e2447147052ce49c963fa06e1495efa085fba34fd2d679da87ad69d5fd729d6455e8e9984239483f553b25ced99476d8a8b83eb8192bf5b0c98ca3d57e708ee
-
Filesize
280B
MD516d9c6f927abc2587253851e61250000
SHA122c8e3a862afdf698e72883898180a5b97918b08
SHA25660d409cc4b3582c1e22876aedaade403dde813ae5667b5ed9e5e1f76c7e1ea69
SHA5123806e84f36ede09407258ce997fae2d00904795b2f5a79ca310b784e1b29c236a6660385b54ba3031979753aab71a8e860c2dccf97fbe7ee3e45acca5200bc72
-
Filesize
4KB
MD536623fdc9ab4fcdd91f95513c05dc531
SHA16c2622229c9ab053ad726b8b19118bdbda16075c
SHA2568eb34ba8ca512790304a963b1954ed5628284f4698df3290767070c1eef81c0e
SHA512d28ae8fee64c9237065f5530e61b041a97b611956508946298b6b2f99e8d359f282a969f294db05ec48c2d3ad16533175e4a1591be7903c22dfe133fc3c2cfc2