Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-11-2024 02:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe
Resource
win7-20241010-en
windows7-x64
21 signatures
120 seconds
Behavioral task
behavioral2
Sample
b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
21 signatures
120 seconds
General
-
Target
b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe
-
Size
1016KB
-
MD5
ee47200f60aa0ffe7e554db291da8a8f
-
SHA1
a2ab0c657b6045b98aca1befb1fe2ce02ca0ae9e
-
SHA256
b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7
-
SHA512
02512eaff12cf835116833bead2006aa14e4f86e65f0225887e5d9e2b7a199849222bd15d50bf269e23646192f7cde45f9cb3746964bb6d3e6d325b4d250d478
-
SSDEEP
6144:GIXsL0tvrSVz1DnemeYbpsnEf78AoXh6KkiD0OofzA+/VygHUM:GIXsgtvm1De5YlOx6lzBH46UM
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" izfuneuesjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" opyclt.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" opyclt.exe -
Adds policy Run key to start application 2 TTPs 25 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szoynbksgjbi = "qdyojdsgajhuqqolck.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlxeqbhmx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alesldqcubxicawr.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlxeqbhmx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odasplcsozzomoongqfc.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szoynbksgjbi = "htncwpdqjroavurnd.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlxeqbhmx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bplcytjytdcqnonldma.exe" izfuneuesjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szoynbksgjbi = "bplcytjytdcqnonldma.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szoynbksgjbi = "qdyojdsgajhuqqolck.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlxeqbhmx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdyojdsgajhuqqolck.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szoynbksgjbi = "odasplcsozzomoongqfc.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szoynbksgjbi = "dtrkifxolxyonqrrlwmkd.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlxeqbhmx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htncwpdqjroavurnd.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szoynbksgjbi = "alesldqcubxicawr.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szoynbksgjbi = "htncwpdqjroavurnd.exe" izfuneuesjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlxeqbhmx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odasplcsozzomoongqfc.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlxeqbhmx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtrkifxolxyonqrrlwmkd.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlxeqbhmx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdyojdsgajhuqqolck.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szoynbksgjbi = "alesldqcubxicawr.exe" opyclt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run izfuneuesjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlxeqbhmx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtrkifxolxyonqrrlwmkd.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szoynbksgjbi = "htncwpdqjroavurnd.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szoynbksgjbi = "bplcytjytdcqnonldma.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szoynbksgjbi = "odasplcsozzomoongqfc.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hlxeqbhmx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alesldqcubxicawr.exe" izfuneuesjp.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" izfuneuesjp.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" opyclt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" opyclt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" izfuneuesjp.exe -
Executes dropped EXE 3 IoCs
pid Process 768 izfuneuesjp.exe 1356 opyclt.exe 2676 opyclt.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend opyclt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc opyclt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power opyclt.exe -
Loads dropped DLL 6 IoCs
pid Process 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 768 izfuneuesjp.exe 768 izfuneuesjp.exe 768 izfuneuesjp.exe 768 izfuneuesjp.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rzpaqfpynrksj = "htncwpdqjroavurnd.exe" izfuneuesjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vbpymzhobdu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alesldqcubxicawr.exe ." opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sbsevlwgwbvews = "alesldqcubxicawr.exe ." opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sbsevlwgwbvews = "dtrkifxolxyonqrrlwmkd.exe ." opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vbpymzhobdu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htncwpdqjroavurnd.exe ." opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbpymzhobdu = "alesldqcubxicawr.exe ." opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\alesldqcubxicawr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alesldqcubxicawr.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbpymzhobdu = "dtrkifxolxyonqrrlwmkd.exe ." opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\afsanzgmyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htncwpdqjroavurnd.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfxkctfqhnislid = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdyojdsgajhuqqolck.exe ." opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\alesldqcubxicawr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odasplcsozzomoongqfc.exe" opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sbsevlwgwbvews = "odasplcsozzomoongqfc.exe ." opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sbsevlwgwbvews = "qdyojdsgajhuqqolck.exe ." opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vbpymzhobdu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alesldqcubxicawr.exe ." opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\afsanzgmyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htncwpdqjroavurnd.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfxkctfqhnislid = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odasplcsozzomoongqfc.exe ." opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\afsanzgmyz = "alesldqcubxicawr.exe" opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rzpaqfpynrksj = "htncwpdqjroavurnd.exe" opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sbsevlwgwbvews = "htncwpdqjroavurnd.exe ." izfuneuesjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfxkctfqhnislid = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdyojdsgajhuqqolck.exe ." opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbpymzhobdu = "alesldqcubxicawr.exe ." opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\afsanzgmyz = "htncwpdqjroavurnd.exe" opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rzpaqfpynrksj = "qdyojdsgajhuqqolck.exe" opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rzpaqfpynrksj = "dtrkifxolxyonqrrlwmkd.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\afsanzgmyz = "bplcytjytdcqnonldma.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\afsanzgmyz = "dtrkifxolxyonqrrlwmkd.exe" opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sbsevlwgwbvews = "bplcytjytdcqnonldma.exe ." opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\alesldqcubxicawr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odasplcsozzomoongqfc.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfxkctfqhnislid = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bplcytjytdcqnonldma.exe ." opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\afsanzgmyz = "alesldqcubxicawr.exe" izfuneuesjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\afsanzgmyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odasplcsozzomoongqfc.exe" opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rzpaqfpynrksj = "bplcytjytdcqnonldma.exe" opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sbsevlwgwbvews = "htncwpdqjroavurnd.exe ." opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vbpymzhobdu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtrkifxolxyonqrrlwmkd.exe ." opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\afsanzgmyz = "htncwpdqjroavurnd.exe" opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sbsevlwgwbvews = "bplcytjytdcqnonldma.exe ." opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\alesldqcubxicawr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdyojdsgajhuqqolck.exe" izfuneuesjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vbpymzhobdu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odasplcsozzomoongqfc.exe ." opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\afsanzgmyz = "alesldqcubxicawr.exe" opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rzpaqfpynrksj = "odasplcsozzomoongqfc.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\afsanzgmyz = "odasplcsozzomoongqfc.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\alesldqcubxicawr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtrkifxolxyonqrrlwmkd.exe" izfuneuesjp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rzpaqfpynrksj = "odasplcsozzomoongqfc.exe" izfuneuesjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\alesldqcubxicawr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htncwpdqjroavurnd.exe" opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\afsanzgmyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odasplcsozzomoongqfc.exe" opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\afsanzgmyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtrkifxolxyonqrrlwmkd.exe" opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rzpaqfpynrksj = "dtrkifxolxyonqrrlwmkd.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\alesldqcubxicawr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alesldqcubxicawr.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\alesldqcubxicawr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtrkifxolxyonqrrlwmkd.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbpymzhobdu = "htncwpdqjroavurnd.exe ." izfuneuesjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfxkctfqhnislid = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtrkifxolxyonqrrlwmkd.exe ." izfuneuesjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfxkctfqhnislid = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odasplcsozzomoongqfc.exe ." opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbpymzhobdu = "bplcytjytdcqnonldma.exe ." opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\afsanzgmyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bplcytjytdcqnonldma.exe" opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vbpymzhobdu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtrkifxolxyonqrrlwmkd.exe ." opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfxkctfqhnislid = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alesldqcubxicawr.exe ." opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\alesldqcubxicawr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bplcytjytdcqnonldma.exe" opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfxkctfqhnislid = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtrkifxolxyonqrrlwmkd.exe ." opyclt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\alesldqcubxicawr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdyojdsgajhuqqolck.exe" opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rzpaqfpynrksj = "alesldqcubxicawr.exe" opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\rzpaqfpynrksj = "qdyojdsgajhuqqolck.exe" opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\afsanzgmyz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bplcytjytdcqnonldma.exe" opyclt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vbpymzhobdu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alesldqcubxicawr.exe ." izfuneuesjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\afsanzgmyz = "htncwpdqjroavurnd.exe" izfuneuesjp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" opyclt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" opyclt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" izfuneuesjp.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" opyclt.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 www.showmyipaddress.com 4 whatismyip.everdot.org 5 www.whatismyip.ca 9 whatismyipaddress.com -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf opyclt.exe File created C:\autorun.inf opyclt.exe File opened for modification F:\autorun.inf opyclt.exe File created F:\autorun.inf opyclt.exe -
Drops file in System32 directory 25 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\alesldqcubxicawr.exe izfuneuesjp.exe File opened for modification C:\Windows\SysWOW64\qdyojdsgajhuqqolck.exe izfuneuesjp.exe File opened for modification C:\Windows\SysWOW64\bplcytjytdcqnonldma.exe opyclt.exe File opened for modification C:\Windows\SysWOW64\ulkedbumkxzqquwxsevuon.exe opyclt.exe File opened for modification C:\Windows\SysWOW64\qdyojdsgajhuqqolck.exe opyclt.exe File opened for modification C:\Windows\SysWOW64\bplcytjytdcqnonldma.exe opyclt.exe File created C:\Windows\SysWOW64\alesldqcubxicawrgmxqexpcognjuomidsyjcq.boa opyclt.exe File opened for modification C:\Windows\SysWOW64\odasplcsozzomoongqfc.exe izfuneuesjp.exe File opened for modification C:\Windows\SysWOW64\odasplcsozzomoongqfc.exe opyclt.exe File opened for modification C:\Windows\SysWOW64\dtrkifxolxyonqrrlwmkd.exe opyclt.exe File created C:\Windows\SysWOW64\ddlowdfgnjuudqblpkksvdkmnuq.bkx opyclt.exe File opened for modification C:\Windows\SysWOW64\bplcytjytdcqnonldma.exe izfuneuesjp.exe File opened for modification C:\Windows\SysWOW64\dtrkifxolxyonqrrlwmkd.exe izfuneuesjp.exe File opened for modification C:\Windows\SysWOW64\alesldqcubxicawr.exe opyclt.exe File opened for modification C:\Windows\SysWOW64\htncwpdqjroavurnd.exe opyclt.exe File opened for modification C:\Windows\SysWOW64\qdyojdsgajhuqqolck.exe opyclt.exe File opened for modification C:\Windows\SysWOW64\dtrkifxolxyonqrrlwmkd.exe opyclt.exe File opened for modification C:\Windows\SysWOW64\alesldqcubxicawr.exe opyclt.exe File opened for modification C:\Windows\SysWOW64\alesldqcubxicawrgmxqexpcognjuomidsyjcq.boa opyclt.exe File opened for modification C:\Windows\SysWOW64\htncwpdqjroavurnd.exe izfuneuesjp.exe File opened for modification C:\Windows\SysWOW64\ulkedbumkxzqquwxsevuon.exe izfuneuesjp.exe File opened for modification C:\Windows\SysWOW64\odasplcsozzomoongqfc.exe opyclt.exe File opened for modification C:\Windows\SysWOW64\htncwpdqjroavurnd.exe opyclt.exe File opened for modification C:\Windows\SysWOW64\ulkedbumkxzqquwxsevuon.exe opyclt.exe File opened for modification C:\Windows\SysWOW64\ddlowdfgnjuudqblpkksvdkmnuq.bkx opyclt.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\ddlowdfgnjuudqblpkksvdkmnuq.bkx opyclt.exe File created C:\Program Files (x86)\ddlowdfgnjuudqblpkksvdkmnuq.bkx opyclt.exe File opened for modification C:\Program Files (x86)\alesldqcubxicawrgmxqexpcognjuomidsyjcq.boa opyclt.exe File created C:\Program Files (x86)\alesldqcubxicawrgmxqexpcognjuomidsyjcq.boa opyclt.exe -
Drops file in Windows directory 25 IoCs
description ioc Process File opened for modification C:\Windows\alesldqcubxicawr.exe izfuneuesjp.exe File opened for modification C:\Windows\odasplcsozzomoongqfc.exe opyclt.exe File opened for modification C:\Windows\ddlowdfgnjuudqblpkksvdkmnuq.bkx opyclt.exe File opened for modification C:\Windows\bplcytjytdcqnonldma.exe opyclt.exe File opened for modification C:\Windows\dtrkifxolxyonqrrlwmkd.exe opyclt.exe File opened for modification C:\Windows\ulkedbumkxzqquwxsevuon.exe opyclt.exe File opened for modification C:\Windows\alesldqcubxicawr.exe opyclt.exe File opened for modification C:\Windows\qdyojdsgajhuqqolck.exe opyclt.exe File opened for modification C:\Windows\odasplcsozzomoongqfc.exe izfuneuesjp.exe File opened for modification C:\Windows\alesldqcubxicawr.exe opyclt.exe File opened for modification C:\Windows\qdyojdsgajhuqqolck.exe opyclt.exe File opened for modification C:\Windows\htncwpdqjroavurnd.exe opyclt.exe File opened for modification C:\Windows\bplcytjytdcqnonldma.exe opyclt.exe File opened for modification C:\Windows\dtrkifxolxyonqrrlwmkd.exe opyclt.exe File opened for modification C:\Windows\bplcytjytdcqnonldma.exe izfuneuesjp.exe File opened for modification C:\Windows\dtrkifxolxyonqrrlwmkd.exe izfuneuesjp.exe File opened for modification C:\Windows\ulkedbumkxzqquwxsevuon.exe izfuneuesjp.exe File opened for modification C:\Windows\odasplcsozzomoongqfc.exe opyclt.exe File opened for modification C:\Windows\ulkedbumkxzqquwxsevuon.exe opyclt.exe File created C:\Windows\ddlowdfgnjuudqblpkksvdkmnuq.bkx opyclt.exe File opened for modification C:\Windows\alesldqcubxicawrgmxqexpcognjuomidsyjcq.boa opyclt.exe File created C:\Windows\alesldqcubxicawrgmxqexpcognjuomidsyjcq.boa opyclt.exe File opened for modification C:\Windows\htncwpdqjroavurnd.exe izfuneuesjp.exe File opened for modification C:\Windows\qdyojdsgajhuqqolck.exe izfuneuesjp.exe File opened for modification C:\Windows\htncwpdqjroavurnd.exe opyclt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language opyclt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language izfuneuesjp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 1356 opyclt.exe 1356 opyclt.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 1356 opyclt.exe 1356 opyclt.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 1356 opyclt.exe 1356 opyclt.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 1356 opyclt.exe 1356 opyclt.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 1356 opyclt.exe 1356 opyclt.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 1356 opyclt.exe 1356 opyclt.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 1356 opyclt.exe 1356 opyclt.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 1356 opyclt.exe 1356 opyclt.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 1356 opyclt.exe 1356 opyclt.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 1356 opyclt.exe 1356 opyclt.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 1356 opyclt.exe 1356 opyclt.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1356 opyclt.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2368 wrote to memory of 768 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 30 PID 2368 wrote to memory of 768 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 30 PID 2368 wrote to memory of 768 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 30 PID 2368 wrote to memory of 768 2368 b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe 30 PID 768 wrote to memory of 1356 768 izfuneuesjp.exe 31 PID 768 wrote to memory of 1356 768 izfuneuesjp.exe 31 PID 768 wrote to memory of 1356 768 izfuneuesjp.exe 31 PID 768 wrote to memory of 1356 768 izfuneuesjp.exe 31 PID 768 wrote to memory of 2676 768 izfuneuesjp.exe 32 PID 768 wrote to memory of 2676 768 izfuneuesjp.exe 32 PID 768 wrote to memory of 2676 768 izfuneuesjp.exe 32 PID 768 wrote to memory of 2676 768 izfuneuesjp.exe 32 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" izfuneuesjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" opyclt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" opyclt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" opyclt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System izfuneuesjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" opyclt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" izfuneuesjp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" opyclt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" opyclt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe"C:\Users\Admin\AppData\Local\Temp\b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe"C:\Users\Admin\AppData\Local\Temp\izfuneuesjp.exe" "c:\users\admin\appdata\local\temp\b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:768 -
C:\Users\Admin\AppData\Local\Temp\opyclt.exe"C:\Users\Admin\AppData\Local\Temp\opyclt.exe" "-C:\Users\Admin\AppData\Local\Temp\alesldqcubxicawr.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1356
-
-
C:\Users\Admin\AppData\Local\Temp\opyclt.exe"C:\Users\Admin\AppData\Local\Temp\opyclt.exe" "-C:\Users\Admin\AppData\Local\Temp\alesldqcubxicawr.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2676
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5f2458ae43bec367412fd9dc34ad8511c
SHA1c05fbf5db2efae7bec013486afaef3bf24ad17ad
SHA256bd9ce59a5f75d458d300b489d16456396c4f444ea590493656fe0c325eca9a89
SHA5121a3a6e81198c27d3a7493b6ee0b06e0d687034231639f213e9f07543981e976f432619ae4a028951cdaeb2111fcbef116373f5f54f68a8178ef2e00ec5c63e99
-
Filesize
280B
MD501392f9ec9bdaababfe8513159ef6c5f
SHA160de6ca91248c74206bae28dd3060cb8ae76f11d
SHA2569a25fedf08b3c7d754522324cd5e67cd61c1cca0c4d691a475c3ecc62c9ed845
SHA512ce4f4c14b856937a0ca327b480944051243cfd0cdee182380a1d701ca2f2e9911dcf7e18b881b0d3986eb3d1a325734660bda89fb6ff27f8fd7c13917916a9c1
-
Filesize
4KB
MD51c08fd54149281da68544bd9c269f9e4
SHA103b5f70347ae6a00723f18f069153f166551ea70
SHA256ebc1548e93fb643c18403402117dfe52cfed304db4de51b334a7dce7d1365879
SHA512185c69dc13b8510cdde99ccc290edf8c2442198a36dfb3936d0d300b9bee4dee1a6626e31938b92bdabdaac91a8194459fb71fbf3aa9a9c7c07d491060a4b7c5
-
Filesize
280B
MD5d85c0d98a2a9774cf3eebbfb2a257a29
SHA1858169122a06e422c4460c019c3f1ad184d1a3e2
SHA256a75b8d3d48eb9d61393466b5ea9822f9b85682e8792a877f0bc5db5de70ade64
SHA51244682f14a47333f782115daaa79e4b328e894a6b31b084bc028a7eff4c84ce9fc452a88f5d607fba3379b48ce6355fca522f6f9d601cabc56c249d8ae26a52b5
-
Filesize
280B
MD5a832b0eb9330323565c123b244c3cdb4
SHA134c838b6ae48d60adbcabcf8971de9a690f39562
SHA256dcfa168eab92700de17ec26bd1d432c7e614bd9eb06c7b3ebf0a81d6a3aa2da5
SHA512090eb4e2f2948071d216dc9bd8c8efad52814cb2527cf3a5267f653e8f236ae558c1969b9d846df513665710fbc58fcc151121871ce373ffc9efdb82c7abeff2
-
Filesize
280B
MD5a0c7adbb947da3f019ae19c8f2ff6a7b
SHA1f44cbdd3b68f05c2017caa9e40c0e2109c3dba27
SHA256fdfcd73077f773d575fe8f3ca894913c03c3735d6efd745eea8f7a56402ab832
SHA512e25a0eea4baf3f8eef20b555cbf119401164ebfbad929aca58c231679e6aa467e936c0001ae7623cccfa13caa4955e47c43255a09425402cc415d6c60a6a68fa
-
Filesize
1016KB
MD5ee47200f60aa0ffe7e554db291da8a8f
SHA1a2ab0c657b6045b98aca1befb1fe2ce02ca0ae9e
SHA256b505a14159df87ac31bceb15aea66f17b93c59dd140fc6252988f05b9cef96a7
SHA51202512eaff12cf835116833bead2006aa14e4f86e65f0225887e5d9e2b7a199849222bd15d50bf269e23646192f7cde45f9cb3746964bb6d3e6d325b4d250d478
-
Filesize
492KB
MD526603743dedcd4240ff6630862101e16
SHA1a7fd6c0e8cf13cec291f34b06c68ebd06e34379a
SHA256112918b9d011369173936748e9d3812cb2c5824e027e91665557a6d6d94e0515
SHA512109ef95b1202a05026427acef06ee2d1a8a747e6f16a1e9228cede6e3ed3a6374cfd5367efa34e4e794254fdda8306ed1aa3291aa3928eef61cc8216c886a7b5
-
Filesize
320KB
MD545e6394320388a8642296bbf9fe1e2b9
SHA1deec74f3728f8c0698c539919b21c14c099c3ce3
SHA2565afb648e1017c29c8934e04e92fe695394683cc3e915dddbcdc80d8de635d427
SHA512f466e20c83af3951400e59af09e20c314f5f24ce4430648f62662c9a518e104c23a3db1efedbac29c16d970af830df90275ee0291ea86511659cebabd5890fad
-
Filesize
680KB
MD5689d55747e102584794feb7c67836df4
SHA188b2a59fcbf2ba92c676ea78391e5b6af2315d2c
SHA2568ba33e9f6aa6bdf129966a5a9b178ee0e75a0747122089070811b90f5dd482d7
SHA512facb497a91b259a846817b77e1c9c44b2f3ac8f0982954c43783dccc22f01f7b90e3a11aa88b50cc75b026624a9056f89261d822d10aad70ab263fb429cb0f0e