Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/11/2024, 09:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe
Resource
win7-20241010-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe
-
Size
320KB
-
MD5
f994621fb8d39133c91165a336bfa517
-
SHA1
02f1f61bd246cbb0a7cd7e1aed69e48628d15d7a
-
SHA256
1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715
-
SHA512
e3bd52ae4070e6bab51802247788e91ad5edf66272fc2668bfff14c867636931c53eb19653bb081459e0f9f45bf4dcc9df03933863ff81d0a61c4d688e908b6b
-
SSDEEP
6144:0TwZo1IV3puaibGKFHi0mofhaH05kipz016580bHFbl86JQPDHDdx/QtqRr:qXgvmzFHi0mo5aH0qMzd5807FRPJQPDH
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" omwfkt.exe -
Adds policy Run key to start application 2 TTPs 28 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acqdmzhoyh = "dqpnhfyqlfstjilmmgred.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\balvblq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqlfvpesjzifrmlie.exe" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acqdmzhoyh = "aicvkdreujrnysqm.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\balvblq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aicvkdreujrnysqm.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\balvblq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqlfvpesjzifrmlie.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acqdmzhoyh = "bmjfxtkatlwvjghgewf.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\balvblq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oayvolduohttigiihakw.exe" omwfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\balvblq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qawridtiarbzmiigdu.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acqdmzhoyh = "dqpnhfyqlfstjilmmgred.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\balvblq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqpnhfyqlfstjilmmgred.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\balvblq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmjfxtkatlwvjghgewf.exe" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acqdmzhoyh = "qawridtiarbzmiigdu.exe" omwfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\balvblq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmjfxtkatlwvjghgewf.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acqdmzhoyh = "qawridtiarbzmiigdu.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\balvblq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oayvolduohttigiihakw.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acqdmzhoyh = "oayvolduohttigiihakw.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acqdmzhoyh = "hqlfvpesjzifrmlie.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acqdmzhoyh = "bmjfxtkatlwvjghgewf.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\balvblq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qawridtiarbzmiigdu.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\balvblq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqlfvpesjzifrmlie.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\balvblq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aicvkdreujrnysqm.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acqdmzhoyh = "qawridtiarbzmiigdu.exe" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acqdmzhoyh = "hqlfvpesjzifrmlie.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\balvblq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqpnhfyqlfstjilmmgred.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acqdmzhoyh = "aicvkdreujrnysqm.exe" omwfkt.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" omwfkt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" omwfkt.exe -
Executes dropped EXE 2 IoCs
pid Process 2340 omwfkt.exe 2880 omwfkt.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend omwfkt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc omwfkt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power omwfkt.exe -
Loads dropped DLL 4 IoCs
pid Process 2208 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 2208 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 2208 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 2208 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hivhpbiox = "aicvkdreujrnysqm.exe ." omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hivhpbiox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqpnhfyqlfstjilmmgred.exe ." omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\vynblziqblo = "aicvkdreujrnysqm.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwndpfqanzexf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oayvolduohttigiihakw.exe ." omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hivhpbiox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aicvkdreujrnysqm.exe ." omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swmbmblugrvn = "hqlfvpesjzifrmlie.exe ." omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swmbmblugrvn = "hqlfvpesjzifrmlie.exe ." omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hivhpbiox = "hqlfvpesjzifrmlie.exe ." omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqcnuflq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqlfvpesjzifrmlie.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syqhulxiwjpjsk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oayvolduohttigiihakw.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hivhpbiox = "qawridtiarbzmiigdu.exe ." omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swmbmblugrvn = "qawridtiarbzmiigdu.exe ." omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\vynblziqblo = "oayvolduohttigiihakw.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqcnuflq = "aicvkdreujrnysqm.exe" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqcnuflq = "qawridtiarbzmiigdu.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqcnuflq = "oayvolduohttigiihakw.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqcnuflq = "dqpnhfyqlfstjilmmgred.exe" omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqcnuflq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oayvolduohttigiihakw.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwndpfqanzexf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmjfxtkatlwvjghgewf.exe ." omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hivhpbiox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmjfxtkatlwvjghgewf.exe ." omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hivhpbiox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqlfvpesjzifrmlie.exe ." omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swmbmblugrvn = "dqpnhfyqlfstjilmmgred.exe ." omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hivhpbiox = "oayvolduohttigiihakw.exe ." 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqcnuflq = "bmjfxtkatlwvjghgewf.exe" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hivhpbiox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqpnhfyqlfstjilmmgred.exe ." 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syqhulxiwjpjsk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qawridtiarbzmiigdu.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hivhpbiox = "bmjfxtkatlwvjghgewf.exe ." omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqcnuflq = "hqlfvpesjzifrmlie.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syqhulxiwjpjsk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmjfxtkatlwvjghgewf.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwndpfqanzexf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmjfxtkatlwvjghgewf.exe ." 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqcnuflq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqpnhfyqlfstjilmmgred.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwndpfqanzexf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmjfxtkatlwvjghgewf.exe ." omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwndpfqanzexf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oayvolduohttigiihakw.exe ." omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syqhulxiwjpjsk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqpnhfyqlfstjilmmgred.exe" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syqhulxiwjpjsk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aicvkdreujrnysqm.exe" omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swmbmblugrvn = "aicvkdreujrnysqm.exe ." omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\vynblziqblo = "dqpnhfyqlfstjilmmgred.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syqhulxiwjpjsk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmjfxtkatlwvjghgewf.exe" omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swmbmblugrvn = "bmjfxtkatlwvjghgewf.exe ." omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swmbmblugrvn = "oayvolduohttigiihakw.exe ." omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syqhulxiwjpjsk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqlfvpesjzifrmlie.exe" omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hivhpbiox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qawridtiarbzmiigdu.exe ." omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\vynblziqblo = "bmjfxtkatlwvjghgewf.exe" omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hivhpbiox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aicvkdreujrnysqm.exe ." omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\vynblziqblo = "hqlfvpesjzifrmlie.exe" omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\vynblziqblo = "bmjfxtkatlwvjghgewf.exe" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\vynblziqblo = "qawridtiarbzmiigdu.exe" omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swmbmblugrvn = "oayvolduohttigiihakw.exe ." omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwndpfqanzexf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qawridtiarbzmiigdu.exe ." omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hivhpbiox = "hqlfvpesjzifrmlie.exe ." omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqcnuflq = "dqpnhfyqlfstjilmmgred.exe" omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\vynblziqblo = "qawridtiarbzmiigdu.exe" omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqcnuflq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aicvkdreujrnysqm.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syqhulxiwjpjsk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qawridtiarbzmiigdu.exe" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqcnuflq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmjfxtkatlwvjghgewf.exe" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\vynblziqblo = "oayvolduohttigiihakw.exe" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syqhulxiwjpjsk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qawridtiarbzmiigdu.exe" omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hivhpbiox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmjfxtkatlwvjghgewf.exe ." omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwndpfqanzexf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqpnhfyqlfstjilmmgred.exe ." omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqcnuflq = "hqlfvpesjzifrmlie.exe" omwfkt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hivhpbiox = "dqpnhfyqlfstjilmmgred.exe ." omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swmbmblugrvn = "bmjfxtkatlwvjghgewf.exe ." omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqcnuflq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmjfxtkatlwvjghgewf.exe" omwfkt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hivhpbiox = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oayvolduohttigiihakw.exe ." omwfkt.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" omwfkt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" omwfkt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA omwfkt.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" omwfkt.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 whatismyipaddress.com 5 whatismyip.everdot.org 9 www.whatismyip.ca 13 www.showmyipaddress.com -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\uqyfiprswzvfemyiruokszcjlm.tpz omwfkt.exe File opened for modification C:\Windows\SysWOW64\vcvnbtgshvcxhaxsmafmfxldqcrfmhrkhcwkp.phv omwfkt.exe File created C:\Windows\SysWOW64\vcvnbtgshvcxhaxsmafmfxldqcrfmhrkhcwkp.phv omwfkt.exe File opened for modification C:\Windows\SysWOW64\uqyfiprswzvfemyiruokszcjlm.tpz omwfkt.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\vcvnbtgshvcxhaxsmafmfxldqcrfmhrkhcwkp.phv omwfkt.exe File opened for modification C:\Program Files (x86)\uqyfiprswzvfemyiruokszcjlm.tpz omwfkt.exe File created C:\Program Files (x86)\uqyfiprswzvfemyiruokszcjlm.tpz omwfkt.exe File opened for modification C:\Program Files (x86)\vcvnbtgshvcxhaxsmafmfxldqcrfmhrkhcwkp.phv omwfkt.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\uqyfiprswzvfemyiruokszcjlm.tpz omwfkt.exe File created C:\Windows\uqyfiprswzvfemyiruokszcjlm.tpz omwfkt.exe File opened for modification C:\Windows\vcvnbtgshvcxhaxsmafmfxldqcrfmhrkhcwkp.phv omwfkt.exe File created C:\Windows\vcvnbtgshvcxhaxsmafmfxldqcrfmhrkhcwkp.phv omwfkt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omwfkt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language omwfkt.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe 2880 omwfkt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2880 omwfkt.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2340 2208 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 30 PID 2208 wrote to memory of 2340 2208 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 30 PID 2208 wrote to memory of 2340 2208 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 30 PID 2208 wrote to memory of 2340 2208 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 30 PID 2208 wrote to memory of 2880 2208 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 31 PID 2208 wrote to memory of 2880 2208 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 31 PID 2208 wrote to memory of 2880 2208 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 31 PID 2208 wrote to memory of 2880 2208 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe 31 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" omwfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" omwfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer omwfkt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" omwfkt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" omwfkt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe"C:\Users\Admin\AppData\Local\Temp\1bf36695b0709be363fabd107d3fe8f4b202b1e58b3665408107875839822715.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\omwfkt.exe"C:\Users\Admin\AppData\Local\Temp\omwfkt.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- System policy modification
PID:2340
-
-
C:\Users\Admin\AppData\Local\Temp\omwfkt.exe"C:\Users\Admin\AppData\Local\Temp\omwfkt.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2880
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD55db2d4a86690a043c7d1a407d20ecab6
SHA104912a651c6dab07df4b3ad752dcde3f5bd35117
SHA256b371051d205bd99eb5165dac111f6ad08d326be280710d819dd3ed8a9295304d
SHA512c0797769f2d664bd2370b2b3e811526bd535391a201fa463bd632a665440bb5629c0b3dd4c159f67fc9d8525fc263fd3698d56ba46d72b145937cbcdb3d1984e
-
Filesize
280B
MD5b09a9a59cad5eab9e5203140f735f8f3
SHA14333c66f48e7f14464f19ac5f7ab5332aa1057b0
SHA2566d58dc07be713340075de08b2b2abdef8d25635aa0ef9ea87766812bac2b7e62
SHA51293a0ab869917d6c1223167dfb49fb01da6e9897edb737e7898e60cfed9503233f53c416e68e32bc19cce5184df44ec691234f3c68f4e4205d14aa92a505388ec
-
Filesize
280B
MD53f8c91c12052c3969f5a5c7b7aa6b56f
SHA1c7656382a3d4193439d4358df2d9467e1b39f257
SHA256024b435d26dd66ee68f249f9152c10be5b9731c92dc42e08cdbb0c1fc95cc5e4
SHA512d390228f3fed64c23bb583211b363b349f3bebcf359e711720b60ada5e12b761b30dfd7c6ae99d81e97ad275e73392b9a7f42a21593e0f48fa7863f66943a262
-
Filesize
280B
MD551e8edd8fe24769793f272458b4aad56
SHA1300d791bf93b65b3cc40764af1cf4df37245ff50
SHA256ecf84dca863353f8b40149456862e0357839aba2b39a758c0be616c94ba173d3
SHA5128b3aab6ab07d3f6c015abd3f645c4e8cbaff2ac8bea57f01b9beea6f60386ea5ea28e007f0138b35521dad6bd755de258443081c27115b5142c76d2e86a3326c
-
Filesize
280B
MD5fcdfcd1e74f2292e80af60845fde3066
SHA1269a37191858af4d82ddb51be36a212fb2657112
SHA256301ae20e7baa59c0162c19294139e058d0a2b50d401809dae1dd48422fde4627
SHA5121872a3f842429d1c0f751e70127b823fddfb0b8b4da41777e8a914c3cf1bf5379694bcd703e9bbdbb16d3cace717c14c93029f74f114791728fe4af084cffda2
-
Filesize
280B
MD52374a89399d0bb65d4aef38b00b3d845
SHA100c860ae93c8e81ee4fbd94451e78300b6cf0e0a
SHA25624bb93d94918df46f85b271a6887e0f4128b3911e95ff0d378fe3fa6d1da9571
SHA512672156bcea33887fcff53f7e396faae1d73c050d4f1a7f85780ac89808f480eadaaa721f1cbaeb375e34270f9d619b285e803c41d8204e0baa8b4acfd87f5aec
-
Filesize
280B
MD5991c057aba2338d82725e72a9f8967c4
SHA1dc1d31168a3a657b91c214691d383ec15017c3a7
SHA25652d1a85ef124a2c2f432ee39aee1f27f13dac1a20fe00498f54757c31a9a2661
SHA5123557a04697c9cedd018c295af06b7d08e769db2669a797d0444a069a4a42fc2f194b3af644d9bab9a6439d5b07ec51c5a84e3adabef84b79adf368ac0f4beebc
-
Filesize
280B
MD5f2db969dab40cbd53f14a95f7776a001
SHA159fd7eda908c02a05f047e1f0b750663bb9110dc
SHA2564555b49d87b8869454fb70ff97b257c3092d28995786e9671f3e503cad6c9d90
SHA512b974610616a48d4b52f7279b3517281a6a7e0fca1af7bff67fdfe3f40bc209257460268a1f9f3d4719c7e6d62680b3872d2a74ca5e1c42dcabe7c19de56afe0e
-
Filesize
4KB
MD53e189f268a20cd674d56b760f40f665c
SHA17e23ab771dd0725c47f873c24d3cc1d4f48e001f
SHA2568a2a0335fbea70ed793281b1053a2778dc139116a59531fcc5693c2206f64803
SHA512b54df3f47b6ca40b2a897b89ba45ca69ea35ed45c318c03eee8c9cce3915b76b6a2ea4966e9276a4084f5afb9fa0c9d8f56a31d873959b2cf8bb924ad6222a02
-
Filesize
708KB
MD5a0167af2464dfc5d67b95ae5a938dc50
SHA1c7e183cb1f9f9bdba4e787c1eadea4993f4f2f5c
SHA2569b9ca200b456a1d8aa5522245ebc3414bba6e96253001daeafb9f02f4c99ce63
SHA512fe4c746a874ff4b6a7bbd9fe09dca49e90fe9bf8a284e6482063da8f4e5c6b9a5a187cb0f2e82bed2792f0d6a448e2096d5e39bafe223c7d1973b9e22253e51c