Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 06:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe
-
Size
320KB
-
MD5
740afbeaa06922e913a871f592541331
-
SHA1
b0eaeb7152f55f42fa0126d9e2b2117ddfec1cff
-
SHA256
fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3
-
SHA512
26657d4dba67ba090ca44fcc48cc71824fde5416dea856bc5c5a09a0a9c36c831e8daa335af2d6f46b1174f7cd8867ef3c664e0e121c94be368411db51a05881
-
SSDEEP
6144:4TwZo1IV3puaibGKFHi0mofhaH05kipz016580bHFbl86JQPDHDdx/QtqR:WXgvmzFHi0mo5aH0qMzd5807FRPJQPDV
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" hqyziq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hqyziq.exe -
Adds policy Run key to start application 2 TTPs 26 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\laovkyhviqks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jeylgapjcqqeuqlvtc.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\laovkyhviqks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunztmatlyxkzuoxu.exe" hqyziq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\laovkyhviqks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunztmatlyxkzuoxu.exe" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ogxhzqctjurcpia = "tmepianfwigsgatb.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\laovkyhviqks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqlzvqgbvklarokvuey.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ogxhzqctjurcpia = "wurhfcurnehyrqobcokif.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\laovkyhviqks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmepianfwigsgatb.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\laovkyhviqks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmepianfwigsgatb.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\laovkyhviqks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\heapmizvqgiyqolxxida.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\laovkyhviqks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\heapmizvqgiyqolxxida.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ogxhzqctjurcpia = "jeylgapjcqqeuqlvtc.exe" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ogxhzqctjurcpia = "jeylgapjcqqeuqlvtc.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\laovkyhviqks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wurhfcurnehyrqobcokif.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ogxhzqctjurcpia = "heapmizvqgiyqolxxida.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\laovkyhviqks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqlzvqgbvklarokvuey.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ogxhzqctjurcpia = "aunztmatlyxkzuoxu.exe" hqyziq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ogxhzqctjurcpia = "jeylgapjcqqeuqlvtc.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\laovkyhviqks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wurhfcurnehyrqobcokif.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ogxhzqctjurcpia = "heapmizvqgiyqolxxida.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\laovkyhviqks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunztmatlyxkzuoxu.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\laovkyhviqks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jeylgapjcqqeuqlvtc.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ogxhzqctjurcpia = "uqlzvqgbvklarokvuey.exe" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ogxhzqctjurcpia = "tmepianfwigsgatb.exe" hqyziq.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hqyziq.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hqyziq.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe -
Executes dropped EXE 2 IoCs
pid Process 1340 hqyziq.exe 1856 hqyziq.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc hqyziq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power hqyziq.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend hqyziq.exe -
Loads dropped DLL 4 IoCs
pid Process 2452 fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe 2452 fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe 2452 fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe 2452 fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcsbsitjyieoas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqlzvqgbvklarokvuey.exe ." hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmepianfwigsgatb = "heapmizvqgiyqolxxida.exe" hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmepianfwigsgatb = "tmepianfwigsgatb.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lcsbsitjyieoas = "aunztmatlyxkzuoxu.exe ." hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lcsbsitjyieoas = "uqlzvqgbvklarokvuey.exe ." hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aunztmatlyxkzuoxu = "heapmizvqgiyqolxxida.exe ." hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "aunztmatlyxkzuoxu.exe" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uqlzvqgbvklarokvuey = "C:\\Users\\Admin\\AppData\\Local\\Temp\\heapmizvqgiyqolxxida.exe" hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\heapmizvqgiyqolxxida.exe" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "tmepianfwigsgatb.exe" hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmepianfwigsgatb = "tmepianfwigsgatb.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jeylgapjcqqeuqlvtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmepianfwigsgatb.exe ." hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "tmepianfwigsgatb.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uqlzvqgbvklarokvuey = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunztmatlyxkzuoxu.exe" hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcsbsitjyieoas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\heapmizvqgiyqolxxida.exe ." fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmepianfwigsgatb.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lcsbsitjyieoas = "jeylgapjcqqeuqlvtc.exe ." hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jeylgapjcqqeuqlvtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunztmatlyxkzuoxu.exe ." hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wurhfcurnehyrqobcokif.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "uqlzvqgbvklarokvuey.exe" hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunztmatlyxkzuoxu.exe" hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmepianfwigsgatb.exe" hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmepianfwigsgatb = "wurhfcurnehyrqobcokif.exe" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aunztmatlyxkzuoxu = "uqlzvqgbvklarokvuey.exe ." hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcsbsitjyieoas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmepianfwigsgatb.exe ." hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "wurhfcurnehyrqobcokif.exe" hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqlzvqgbvklarokvuey.exe" hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmepianfwigsgatb = "heapmizvqgiyqolxxida.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "heapmizvqgiyqolxxida.exe" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "heapmizvqgiyqolxxida.exe" hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\heapmizvqgiyqolxxida.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lcsbsitjyieoas = "heapmizvqgiyqolxxida.exe ." hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcsbsitjyieoas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmepianfwigsgatb.exe ." hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jeylgapjcqqeuqlvtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jeylgapjcqqeuqlvtc.exe ." fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmepianfwigsgatb = "aunztmatlyxkzuoxu.exe" hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunztmatlyxkzuoxu.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uqlzvqgbvklarokvuey = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jeylgapjcqqeuqlvtc.exe" hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aunztmatlyxkzuoxu = "wurhfcurnehyrqobcokif.exe ." hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aunztmatlyxkzuoxu = "jeylgapjcqqeuqlvtc.exe ." hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmepianfwigsgatb = "uqlzvqgbvklarokvuey.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jeylgapjcqqeuqlvtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jeylgapjcqqeuqlvtc.exe ." hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uqlzvqgbvklarokvuey = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqlzvqgbvklarokvuey.exe" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aunztmatlyxkzuoxu = "aunztmatlyxkzuoxu.exe ." hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jeylgapjcqqeuqlvtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wurhfcurnehyrqobcokif.exe ." hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jeylgapjcqqeuqlvtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wurhfcurnehyrqobcokif.exe ." hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\heapmizvqgiyqolxxida.exe" hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmepianfwigsgatb = "wurhfcurnehyrqobcokif.exe" hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcsbsitjyieoas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\heapmizvqgiyqolxxida.exe ." hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcsbsitjyieoas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunztmatlyxkzuoxu.exe ." hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "aunztmatlyxkzuoxu.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uqlzvqgbvklarokvuey = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunztmatlyxkzuoxu.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jeylgapjcqqeuqlvtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jeylgapjcqqeuqlvtc.exe ." hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "jeylgapjcqqeuqlvtc.exe" hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcsbsitjyieoas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\heapmizvqgiyqolxxida.exe ." hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jeylgapjcqqeuqlvtc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunztmatlyxkzuoxu.exe ." hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmepianfwigsgatb = "aunztmatlyxkzuoxu.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uqlzvqgbvklarokvuey = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmepianfwigsgatb.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "uqlzvqgbvklarokvuey.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uqlzvqgbvklarokvuey = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uqlzvqgbvklarokvuey.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lcsbsitjyieoas = "heapmizvqgiyqolxxida.exe ." hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jeylgapjcqqeuqlvtc.exe" hqyziq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kapxncmbpytcn = "jeylgapjcqqeuqlvtc.exe" hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aunztmatlyxkzuoxu = "heapmizvqgiyqolxxida.exe ." hqyziq.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\aunztmatlyxkzuoxu = "wurhfcurnehyrqobcokif.exe ." hqyziq.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hqyziq.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hqyziq.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hqyziq.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" hqyziq.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 whatismyip.everdot.org 4 www.whatismyip.ca 5 whatismyipaddress.com 9 www.showmyipaddress.com -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\laovkyhviqkscshldgtiwdsgpdqysakapt.obq hqyziq.exe File opened for modification C:\Windows\SysWOW64\ycfbfigjlironswpwoquxtx.ybd hqyziq.exe File created C:\Windows\SysWOW64\ycfbfigjlironswpwoquxtx.ybd hqyziq.exe File opened for modification C:\Windows\SysWOW64\laovkyhviqkscshldgtiwdsgpdqysakapt.obq hqyziq.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\ycfbfigjlironswpwoquxtx.ybd hqyziq.exe File created C:\Program Files (x86)\ycfbfigjlironswpwoquxtx.ybd hqyziq.exe File opened for modification C:\Program Files (x86)\laovkyhviqkscshldgtiwdsgpdqysakapt.obq hqyziq.exe File created C:\Program Files (x86)\laovkyhviqkscshldgtiwdsgpdqysakapt.obq hqyziq.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\ycfbfigjlironswpwoquxtx.ybd hqyziq.exe File opened for modification C:\Windows\laovkyhviqkscshldgtiwdsgpdqysakapt.obq hqyziq.exe File created C:\Windows\laovkyhviqkscshldgtiwdsgpdqysakapt.obq hqyziq.exe File opened for modification C:\Windows\ycfbfigjlironswpwoquxtx.ybd hqyziq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hqyziq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hqyziq.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe 1856 hqyziq.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1856 hqyziq.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2452 wrote to memory of 1340 2452 fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe 30 PID 2452 wrote to memory of 1340 2452 fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe 30 PID 2452 wrote to memory of 1340 2452 fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe 30 PID 2452 wrote to memory of 1340 2452 fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe 30 PID 2452 wrote to memory of 1856 2452 fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe 31 PID 2452 wrote to memory of 1856 2452 fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe 31 PID 2452 wrote to memory of 1856 2452 fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe 31 PID 2452 wrote to memory of 1856 2452 fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe 31 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" hqyziq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hqyziq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" hqyziq.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" hqyziq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System hqyziq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe"C:\Users\Admin\AppData\Local\Temp\fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\hqyziq.exe"C:\Users\Admin\AppData\Local\Temp\hqyziq.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- System policy modification
PID:1340
-
-
C:\Users\Admin\AppData\Local\Temp\hqyziq.exe"C:\Users\Admin\AppData\Local\Temp\hqyziq.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1856
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5891bd53abf41a06160a0bb1ca7f0a861
SHA1cb9cad3ccbf55fa3ea9b2a339c19d43dbdab8feb
SHA2563308569acd53326f48c8b5b9955fa2db26bfcd37dcc7f3db9cdf08047d8124e9
SHA5128b4f9830f074a150b9484afeef87610e5cf12aa1fd73e83269de30167d2958f7387ede2d7fdb3fb2ee077a2f1662b4e20d19b7f2750d4e89aa1b554c8ee21671
-
Filesize
280B
MD548944158bccf70d11f89db9ec6641826
SHA1e581f77a2dba3af2682b990ac68b93030426c6a6
SHA2560ecdd68dd6d08ee1e824e65c7482d597b21b875f7715fe3db92b90496624d660
SHA5125a60cd400ab69f7f4b35a0cd1b3c519669bc53da9d5b1dba68e04ea3b39340f53455727dfa73c4cf83f2947c4adf8737eb25ef9a064e3568a614305eff58fcdd
-
Filesize
280B
MD5957e824ac5c2229c04c528e2b05ac494
SHA1c93506efaafbab4091abe4e12058ffbadebadc53
SHA2561ed92b2bfaab5d75e86e5e8c582140b2234ec307cd083dab119ad7a9c80b2cf7
SHA512099cad6f910d81697cb161318e71132771a241732c35991b8ffcc428bbe287e694a2550490685447151d96b42edf22d3c00f3cb3ccf29325328846b3815b94f5
-
Filesize
280B
MD5e62d949a55614aced61b04f96fd718f7
SHA17c09757baa9a60c26e455be7bd7e7bbbcb9efcb5
SHA256b57e5682d718dac33aa80bbeb6033e2983874a98581449d4af402799ea22bcfd
SHA512e1644cb4412dda15d2419afcd1f134a78c7353437157d9322082f8cdd387c2686e2b00ebfa4577d00ce3f90764fb544df86213749af92cf8b6c75566b0d7af3e
-
Filesize
280B
MD59376e80681d449f4254dd164aa81a9b9
SHA1b212c1e17a821919b2f0a762e333d2a095aa68b6
SHA2567c46fb0b3180962f4ae4e2e3bf3a00fb584548a27152a36f2e7ef5a9bff60d34
SHA5127696554b34f67363cb674682406c6379ee3b5dcf9e8c1148dd6fc3711669d6348d6af143fdea0ecc3e8c350e4ab264e6b59ba9b73d8941fe6b755fd0664f32f3
-
Filesize
280B
MD5680479fb806e24a2216dce669fa02e7e
SHA1cef74c4800a45987d2cdffb1b1f0eadd6203a1e7
SHA25683f6aef80b9e38a76a3989548d8c97cc5a7d4ca2ca95c70e96e55608365b570c
SHA512d16ba56c5edc6c3df3076be5fa638385299871fc73f730c7d21c566c46b7b0f010ec348935518d200df148184f9bb970c020df996e9a4150315ad76f9e1a9915
-
Filesize
280B
MD5c3e037ba745026d15aa38e8b50a67400
SHA17b50c4dba8a76e99d1fa8b8ccc68cf7d8eddbc55
SHA2562ce54f1bbb9f172aa39bc4aa79f86e88ecd95d4f31bd9b12a0ea6418b8fe9576
SHA5123f35950d81688b5a94d75d54b0171379e63a9542a83969ecc1998384455723ebcb599acb9b26f0459586d4c078ab06d711dfa898978803160349853f2c173dac
-
Filesize
716KB
MD5cb855632f23d576859bf3d96b2c60d25
SHA1e133449ac4c1c3a49ca10c896115419449fb99d2
SHA256fafd6f94c3c7ddad7f85c2a45704ea6ac50c471bfaacf7448bb631e6aeba2895
SHA51243876af9121a9e6116186002eb4c32f8a5ccce9a75965175b794a60bc8dab67c963c66ca0d8483d5792153f20b6c893d7452abd571522d34472c82a65a96f667
-
Filesize
4KB
MD59442306862139b4b35e8b4e3301eaee4
SHA1cad8b0c717923d2bea983b555ed6bd256a370551
SHA256fef22c8bd7b3cc9c6262079807f835a34bab2f095d0f6acff8d4dbd469764d4f
SHA51286e469e56c4a29cc23d38c5d57f49ecc572fdd2727ca6497c76b96caedbc5f0abf9983d7e9cb73b895e19226926388e4a55141c06e73b818fec2898d3d1b6e72
-
Filesize
280B
MD5e0251929a19dd18ba5a4c218583bfd83
SHA1d0f6ff6019a1d03c1363f3db6e2ccf74993c69d9
SHA256a26bed6144c84ad369585aa4d10eb38318fcede7238e5fdb2de5977f26b1cf85
SHA512b10db7dbf7a68cda075af00c14b12351d0ac85b5ad43952fadf6708cf2786c2dda3ca99ccdb3692c4d69bf5787f19e865f941028d70e12bda0eeb253e2462a0f