Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 06:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe
-
Size
320KB
-
MD5
740afbeaa06922e913a871f592541331
-
SHA1
b0eaeb7152f55f42fa0126d9e2b2117ddfec1cff
-
SHA256
fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3
-
SHA512
26657d4dba67ba090ca44fcc48cc71824fde5416dea856bc5c5a09a0a9c36c831e8daa335af2d6f46b1174f7cd8867ef3c664e0e121c94be368411db51a05881
-
SSDEEP
6144:4TwZo1IV3puaibGKFHi0mofhaH05kipz016580bHFbl86JQPDHDdx/QtqR:WXgvmzFHi0mo5aH0qMzd5807FRPJQPDV
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" bjhsw.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe -
Adds policy Run key to start application 2 TTPs 27 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yloenxaovf = "bznoidrqidzwwbtaqusgh.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjjwcjj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjwwpjwulfawvzqwloly.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yloenxaovf = "ojusjbmixpiczbquhi.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yloenxaovf = "fzjgwnxsgxpieftwi.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjjwcjj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzjgwnxsgxpieftwi.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yloenxaovf = "mjwwpjwulfawvzqwloly.exe" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjjwcjj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bznoidrqidzwwbtaqusgh.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yloenxaovf = "mjwwpjwulfawvzqwloly.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjjwcjj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvhgyrdaqjdywzpuikg.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yloenxaovf = "zvhgyrdaqjdywzpuikg.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjjwcjj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzjgwnxsgxpieftwi.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yloenxaovf = "zvhgyrdaqjdywzpuikg.exe" bjhsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yloenxaovf = "mjwwpjwulfawvzqwloly.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjjwcjj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjwwpjwulfawvzqwloly.exe" bjhsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yloenxaovf = "yrawlbkerhyqllya.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjjwcjj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvhgyrdaqjdywzpuikg.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjjwcjj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojusjbmixpiczbquhi.exe" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yloenxaovf = "bznoidrqidzwwbtaqusgh.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yloenxaovf = "yrawlbkerhyqllya.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yloenxaovf = "ojusjbmixpiczbquhi.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjjwcjj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bznoidrqidzwwbtaqusgh.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zjjwcjj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojusjbmixpiczbquhi.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yloenxaovf = "bznoidrqidzwwbtaqusgh.exe" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yloenxaovf = "fzjgwnxsgxpieftwi.exe" bjhsw.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bjhsw.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bjhsw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe -
Executes dropped EXE 2 IoCs
pid Process 4736 bjhsw.exe 2808 bjhsw.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys bjhsw.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc bjhsw.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager bjhsw.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys bjhsw.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc bjhsw.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power bjhsw.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozaovdeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzjgwnxsgxpieftwi.exe" bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thlcmxbqyjv = "ojusjbmixpiczbquhi.exe" bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\frtiqzbou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvhgyrdaqjdywzpuikg.exe ." bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozaovdeq = "bznoidrqidzwwbtaqusgh.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qhoivjqithwmfd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bznoidrqidzwwbtaqusgh.exe" bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfkcnzeudpcq = "bznoidrqidzwwbtaqusgh.exe ." fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frtiqzbou = "fzjgwnxsgxpieftwi.exe ." bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfkcnzeudpcq = "yrawlbkerhyqllya.exe ." bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfleqdjakxlas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzjgwnxsgxpieftwi.exe ." bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfkcnzeudpcq = "ojusjbmixpiczbquhi.exe ." bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qhoivjqithwmfd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bznoidrqidzwwbtaqusgh.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qhoivjqithwmfd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrawlbkerhyqllya.exe" bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thlcmxbqyjv = "fzjgwnxsgxpieftwi.exe" bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\frtiqzbou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bznoidrqidzwwbtaqusgh.exe ." bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozaovdeq = "mjwwpjwulfawvzqwloly.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frtiqzbou = "yrawlbkerhyqllya.exe ." bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frtiqzbou = "bznoidrqidzwwbtaqusgh.exe ." bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozaovdeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojusjbmixpiczbquhi.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frtiqzbou = "bznoidrqidzwwbtaqusgh.exe ." fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frtiqzbou = "bznoidrqidzwwbtaqusgh.exe ." bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfleqdjakxlas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrawlbkerhyqllya.exe ." bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thlcmxbqyjv = "yrawlbkerhyqllya.exe" bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfkcnzeudpcq = "bznoidrqidzwwbtaqusgh.exe ." bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfleqdjakxlas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojusjbmixpiczbquhi.exe ." fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozaovdeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojusjbmixpiczbquhi.exe" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfkcnzeudpcq = "bznoidrqidzwwbtaqusgh.exe ." bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfleqdjakxlas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojusjbmixpiczbquhi.exe ." bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfleqdjakxlas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjwwpjwulfawvzqwloly.exe ." bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozaovdeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrawlbkerhyqllya.exe" bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozaovdeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bznoidrqidzwwbtaqusgh.exe" bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozaovdeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mjwwpjwulfawvzqwloly.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozaovdeq = "ojusjbmixpiczbquhi.exe" bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfkcnzeudpcq = "zvhgyrdaqjdywzpuikg.exe ." bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozaovdeq = "yrawlbkerhyqllya.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frtiqzbou = "ojusjbmixpiczbquhi.exe ." bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\frtiqzbou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzjgwnxsgxpieftwi.exe ." bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thlcmxbqyjv = "ojusjbmixpiczbquhi.exe" bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thlcmxbqyjv = "mjwwpjwulfawvzqwloly.exe" bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thlcmxbqyjv = "mjwwpjwulfawvzqwloly.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frtiqzbou = "mjwwpjwulfawvzqwloly.exe ." bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qhoivjqithwmfd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrawlbkerhyqllya.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozaovdeq = "bznoidrqidzwwbtaqusgh.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qhoivjqithwmfd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzjgwnxsgxpieftwi.exe" bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\frtiqzbou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojusjbmixpiczbquhi.exe ." bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozaovdeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrawlbkerhyqllya.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozaovdeq = "ojusjbmixpiczbquhi.exe" bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfkcnzeudpcq = "zvhgyrdaqjdywzpuikg.exe ." bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frtiqzbou = "zvhgyrdaqjdywzpuikg.exe ." bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\frtiqzbou = "mjwwpjwulfawvzqwloly.exe ." bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozaovdeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvhgyrdaqjdywzpuikg.exe" bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozaovdeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bznoidrqidzwwbtaqusgh.exe" bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ozaovdeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvhgyrdaqjdywzpuikg.exe" bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfkcnzeudpcq = "mjwwpjwulfawvzqwloly.exe ." bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\frtiqzbou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzjgwnxsgxpieftwi.exe ." bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozaovdeq = "ojusjbmixpiczbquhi.exe" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thlcmxbqyjv = "yrawlbkerhyqllya.exe" bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfkcnzeudpcq = "fzjgwnxsgxpieftwi.exe ." bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qfkcnzeudpcq = "fzjgwnxsgxpieftwi.exe ." bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thlcmxbqyjv = "zvhgyrdaqjdywzpuikg.exe" bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\frtiqzbou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yrawlbkerhyqllya.exe ." bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qhoivjqithwmfd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fzjgwnxsgxpieftwi.exe" bjhsw.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\thlcmxbqyjv = "bznoidrqidzwwbtaqusgh.exe" bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfleqdjakxlas = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojusjbmixpiczbquhi.exe ." bjhsw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ozaovdeq = "fzjgwnxsgxpieftwi.exe" bjhsw.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bjhsw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bjhsw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" bjhsw.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 www.showmyipaddress.com 32 www.whatismyip.ca 33 whatismyip.everdot.org 36 whatismyip.everdot.org 18 www.whatismyip.ca 19 whatismyip.everdot.org 21 whatismyipaddress.com -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\tltocrzsetjautfgqogojxmunzoevpoabljbj.shp bjhsw.exe File opened for modification C:\Windows\SysWOW64\szwgjnkstxcirfgwvipmwzdaij.syh bjhsw.exe File created C:\Windows\SysWOW64\szwgjnkstxcirfgwvipmwzdaij.syh bjhsw.exe File opened for modification C:\Windows\SysWOW64\tltocrzsetjautfgqogojxmunzoevpoabljbj.shp bjhsw.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\szwgjnkstxcirfgwvipmwzdaij.syh bjhsw.exe File opened for modification C:\Program Files (x86)\tltocrzsetjautfgqogojxmunzoevpoabljbj.shp bjhsw.exe File created C:\Program Files (x86)\tltocrzsetjautfgqogojxmunzoevpoabljbj.shp bjhsw.exe File opened for modification C:\Program Files (x86)\szwgjnkstxcirfgwvipmwzdaij.syh bjhsw.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\szwgjnkstxcirfgwvipmwzdaij.syh bjhsw.exe File created C:\Windows\szwgjnkstxcirfgwvipmwzdaij.syh bjhsw.exe File opened for modification C:\Windows\tltocrzsetjautfgqogojxmunzoevpoabljbj.shp bjhsw.exe File created C:\Windows\tltocrzsetjautfgqogojxmunzoevpoabljbj.shp bjhsw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjhsw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bjhsw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings bjhsw.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings bjhsw.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 4736 bjhsw.exe 4736 bjhsw.exe 4736 bjhsw.exe 4736 bjhsw.exe 4736 bjhsw.exe 4736 bjhsw.exe 4736 bjhsw.exe 4736 bjhsw.exe 4736 bjhsw.exe 4736 bjhsw.exe 4736 bjhsw.exe 4736 bjhsw.exe 4736 bjhsw.exe 4736 bjhsw.exe 4736 bjhsw.exe 4736 bjhsw.exe 4736 bjhsw.exe 4736 bjhsw.exe 4736 bjhsw.exe 4736 bjhsw.exe 4736 bjhsw.exe 4736 bjhsw.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2808 bjhsw.exe 4736 bjhsw.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4736 bjhsw.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3936 wrote to memory of 4736 3936 fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe 86 PID 3936 wrote to memory of 4736 3936 fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe 86 PID 3936 wrote to memory of 4736 3936 fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe 86 PID 3936 wrote to memory of 2808 3936 fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe 87 PID 3936 wrote to memory of 2808 3936 fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe 87 PID 3936 wrote to memory of 2808 3936 fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe 87 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" bjhsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bjhsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" bjhsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bjhsw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" bjhsw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bjhsw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe"C:\Users\Admin\AppData\Local\Temp\fb49ccc6f2a133d6b1e955dc7b7775caf9108e22d9a561cb04d76c41c8b755b3.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\bjhsw.exe"C:\Users\Admin\AppData\Local\Temp\bjhsw.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4736
-
-
C:\Users\Admin\AppData\Local\Temp\bjhsw.exe"C:\Users\Admin\AppData\Local\Temp\bjhsw.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:2808
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2312
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD54454d623f13717b8cf772bf9c4d41fa4
SHA169fb2e7968de907c9b61b048212c2726eb147b83
SHA256c8fdc3918ce5fe34fac0047191e42295378fa113c23ddfede81a333e86cbf7a1
SHA512566498eccaa537961b870082730500dd00e1931b902a5b2a9c1d64884ea323a3e247ad78a963dacfd7b8ec4a57b19a6db35d79784ebb75fece75c5fa950c3c89
-
Filesize
280B
MD546e0ef13e7f9fb5bfad39991b9e288a1
SHA1d0a7c1936c87a3991204650e4db66f4e787c36f3
SHA256f998f898b6bec7daf5fa512d6a3816e45cf5aeca76c762fe3f69d7f3e6d838dc
SHA512418cd461bc1c14cf1f7a11c8e27d0689d03d95f7910507cbda079fdc19056256f3ad759643531988bdbf71135b5aacfa0cb1eba3bf54a93c97a44ef469fd549a
-
Filesize
280B
MD54d1e57bc4b09c61df1976ad37378c416
SHA172f6960746a7b868e0d860e1c7cb4fe3c9b0d873
SHA25655fe319ac1288cf17ea1bf7b643f49912dc778c685ce2a266ad7576054dfda98
SHA512b89860c87540f293d62f5e878553558b3adb0dc06fbea32b6e9630484109dfb5f9f020302639d054c9e59b768e55ea3cff01a4c4325daf8a9089b8df0f1388c2
-
Filesize
280B
MD53d687400ba46ad75f93e453b4d82d7c6
SHA1032624173d554ab8f9bf54c722775bde4ffdd552
SHA256e39d1179b15b0b3fb121e61c1fb4c77db9768ebc9c9a246cc4a311c5ed790d37
SHA5122ce80a6044d8352d25c3924c12b44d6458a721345e6b3ff263d099fb9667f5a6b89b7243cbda6b2a97699d9001e7f0b0c3c674a1ae0a845fe68778d68811cc7b
-
Filesize
280B
MD53f9291a0950904591fe42953faffc926
SHA191c6826a35ba4ba42513c470823dd20ae8005046
SHA2561cf6d05d39be6a7b8a02a725bf07726ce9f78250107018736e93585c0521d107
SHA512b1cd04fbc55e1f48e53f97860f21686805bd33d7c4f48b8a2f559a1d4d80fbde1c3e7bef893939418d49bed7b8249972999bce10202c6b82a3b1fa17a9b382c9
-
Filesize
696KB
MD53419c42e3f1553fe948971abf0490291
SHA18253e116b6a3a547080f397ec30d64b0ff2575fc
SHA256cce095d1af3230c4094b2aff36e7d71dfaac3f46c8b157d1876395c38ce2f6c0
SHA512f736389ad841a7bd75e5df01595338c30bebbe2e7073b14e9be8dbdb13e688e62652a25910c59c52e0a6f15b392731f5f248fd4da7a9304e6a6bf918a37cd699
-
Filesize
280B
MD59fc83455bcaa85fafddc92dd958aef43
SHA1d5ea840370cfa4128649594047be881d89c22292
SHA2564576cfa94d42e5ba4bdc118d8a17384b5c04d9bbbd60ed739fb994f3ad7da84e
SHA5124d1fdb8a8b812d870c6e7773b7b290466dde9902e6c13f67f848338f76b785e853cae4603f6a123a2298a6e904c6336287520d9354a66821ff5b32cd5521d687
-
Filesize
280B
MD593dcefc9962e7a1e4551e68823d6d7a9
SHA1fa9ab90ff08335001e0474ff9ec5b8a34f588d3b
SHA256bad60cef9d043022ad3977b6c7f7ae3ac25521a1e79b9590470bcaa28a3394b2
SHA512980919dffb6a480ba8ef299e0ea83c8d00b13a368430a02848b6cff243be3d3c79476d77c6843f6aa44148e5f5bb821b2bc7fbf60f58bba5e4001f1bdf2400f3
-
Filesize
280B
MD583813eada236bd54badb91821f6cf22a
SHA1681740c8210248cde16ef20994f0301b52949965
SHA256128771f4023443ad022c693dfc27f6e1293ec92166c3edc159a86c293a0da4df
SHA512243306ab80b915a3dd3d6ee7a13e2cea6cb9d57d269b51898944caa6940af75c54a143bb27327d65ce9ce71a3d548b11864260656ac9cea910424a5c5695a609
-
Filesize
4KB
MD5de8d359fc84dde31d9c66050ec6c2ad0
SHA13c6cba96c4140937710a3e34d6bfd25714aa8e24
SHA256aa108ba0611ffd182aca87a989a2e869be263fe15c4c57c6a6ed9a27ee0b9c02
SHA512c722c3dfa64b3347f570fd3b59b07b6c8dfd7c2f496059affd463f4a75c0f498d59a4ec5c49cd4cf34cd724311f7fa9ed3ffadb443e89321545cbb00303f4d12