Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/11/2024, 18:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe
Resource
win7-20241023-en
windows7-x64
20 signatures
120 seconds
Behavioral task
behavioral2
Sample
f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
22 signatures
120 seconds
General
-
Target
f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe
-
Size
320KB
-
MD5
7aaa28ceb63303ddec0abe580b4d1ff0
-
SHA1
491b70864a07a5dada35a4119119174da47d878c
-
SHA256
f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362ea
-
SHA512
040dde561ad1541b3df357d3bfed1605673982008704a85aba5e2c22a5a6f445049267388af37d2f1df316b166f56bab281c8b3af44b019331c72f25ff567390
-
SSDEEP
6144:qTwZo1IV3puaibGKFHi0mofhaH05kipz016580bHFbl86JQPDHDdx/QtqR:EXgvmzFHi0mo5aH0qMzd5807FRPJQPDV
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" lpwcjs.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lpwcjs.exe -
Adds policy Run key to start application 2 TTPs 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnykyeserv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlcsjcngxpyrljgn.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnykyeserv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atpkgeusolzxwzbnqtmid.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnykyeserv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypjcwsgcwrdzwxxhija.exe" lpwcjs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbqetktkzpwnfb = "ypjcwsgcwrdzwxxhija.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnykyeserv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndwohcpkdxidzzyhhh.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnykyeserv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etlcuoaumfpjedbji.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbqetktkzpwnfb = "ndwohcpkdxidzzyhhh.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnykyeserv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldysnkzwrnaxvxyjlnfa.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbqetktkzpwnfb = "atpkgeusolzxwzbnqtmid.exe" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnykyeserv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldysnkzwrnaxvxyjlnfa.exe" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbqetktkzpwnfb = "xlcsjcngxpyrljgn.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbqetktkzpwnfb = "ldysnkzwrnaxvxyjlnfa.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbqetktkzpwnfb = "etlcuoaumfpjedbji.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbqetktkzpwnfb = "atpkgeusolzxwzbnqtmid.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnykyeserv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldysnkzwrnaxvxyjlnfa.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbqetktkzpwnfb = "etlcuoaumfpjedbji.exe" lpwcjs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnykyeserv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlcsjcngxpyrljgn.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbqetktkzpwnfb = "xlcsjcngxpyrljgn.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbnykyeserv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atpkgeusolzxwzbnqtmid.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbqetktkzpwnfb = "ldysnkzwrnaxvxyjlnfa.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pbqetktkzpwnfb = "atpkgeusolzxwzbnqtmid.exe" lpwcjs.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lpwcjs.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lpwcjs.exe Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe -
Executes dropped EXE 2 IoCs
pid Process 3236 lpwcjs.exe 2124 lpwcjs.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys lpwcjs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc lpwcjs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power lpwcjs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys lpwcjs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc lpwcjs.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager lpwcjs.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oznaoemcqflbs = "etlcuoaumfpjedbji.exe ." f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pzmylahwjxcr = "ndwohcpkdxidzzyhhh.exe" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfvkascukbjburn = "atpkgeusolzxwzbnqtmid.exe" lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlcsjcngxpyrljgn = "ndwohcpkdxidzzyhhh.exe ." lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndwohcpkdxidzzyhhh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldysnkzwrnaxvxyjlnfa.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\etlcuoaumfpjedbji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypjcwsgcwrdzwxxhija.exe ." lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlcsjcngxpyrljgn = "etlcuoaumfpjedbji.exe ." lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pzmylahwjxcr = "atpkgeusolzxwzbnqtmid.exe" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oznaoemcqflbs = "xlcsjcngxpyrljgn.exe ." f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\etlcuoaumfpjedbji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldysnkzwrnaxvxyjlnfa.exe ." lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oznaoemcqflbs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypjcwsgcwrdzwxxhija.exe ." lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlcsjcngxpyrljgn = "etlcuoaumfpjedbji.exe ." lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oznaoemcqflbs = "xlcsjcngxpyrljgn.exe ." lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzmylahwjxcr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldysnkzwrnaxvxyjlnfa.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\etlcuoaumfpjedbji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atpkgeusolzxwzbnqtmid.exe ." lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oznaoemcqflbs = "etlcuoaumfpjedbji.exe ." lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pzmylahwjxcr = "ndwohcpkdxidzzyhhh.exe" lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzmylahwjxcr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypjcwsgcwrdzwxxhija.exe" lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlcsjcngxpyrljgn = "xlcsjcngxpyrljgn.exe ." lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndwohcpkdxidzzyhhh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypjcwsgcwrdzwxxhija.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oznaoemcqflbs = "ldysnkzwrnaxvxyjlnfa.exe ." lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndwohcpkdxidzzyhhh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypjcwsgcwrdzwxxhija.exe" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfvkascukbjburn = "xlcsjcngxpyrljgn.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\etlcuoaumfpjedbji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlcsjcngxpyrljgn.exe ." lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzmylahwjxcr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndwohcpkdxidzzyhhh.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndwohcpkdxidzzyhhh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndwohcpkdxidzzyhhh.exe" lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzmylahwjxcr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndwohcpkdxidzzyhhh.exe" lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzmylahwjxcr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atpkgeusolzxwzbnqtmid.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndwohcpkdxidzzyhhh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlcsjcngxpyrljgn.exe" lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfvkascukbjburn = "ndwohcpkdxidzzyhhh.exe" lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzmylahwjxcr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atpkgeusolzxwzbnqtmid.exe" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlcsjcngxpyrljgn = "ldysnkzwrnaxvxyjlnfa.exe ." lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndwohcpkdxidzzyhhh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ldysnkzwrnaxvxyjlnfa.exe" lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oznaoemcqflbs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlcsjcngxpyrljgn.exe ." lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndwohcpkdxidzzyhhh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atpkgeusolzxwzbnqtmid.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oznaoemcqflbs = "atpkgeusolzxwzbnqtmid.exe ." lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndwohcpkdxidzzyhhh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypjcwsgcwrdzwxxhija.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oznaoemcqflbs = "ndwohcpkdxidzzyhhh.exe ." lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oznaoemcqflbs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndwohcpkdxidzzyhhh.exe ." lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pzmylahwjxcr = "atpkgeusolzxwzbnqtmid.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndwohcpkdxidzzyhhh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etlcuoaumfpjedbji.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ndwohcpkdxidzzyhhh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlcsjcngxpyrljgn.exe" lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfvkascukbjburn = "xlcsjcngxpyrljgn.exe" lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlcsjcngxpyrljgn = "xlcsjcngxpyrljgn.exe ." lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oznaoemcqflbs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypjcwsgcwrdzwxxhija.exe ." lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfvkascukbjburn = "ndwohcpkdxidzzyhhh.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\etlcuoaumfpjedbji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypjcwsgcwrdzwxxhija.exe ." lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzmylahwjxcr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypjcwsgcwrdzwxxhija.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pzmylahwjxcr = "atpkgeusolzxwzbnqtmid.exe" lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfvkascukbjburn = "ypjcwsgcwrdzwxxhija.exe" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pzmylahwjxcr = "ypjcwsgcwrdzwxxhija.exe" lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oznaoemcqflbs = "atpkgeusolzxwzbnqtmid.exe ." lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfvkascukbjburn = "atpkgeusolzxwzbnqtmid.exe" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oznaoemcqflbs = "ypjcwsgcwrdzwxxhija.exe ." lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\etlcuoaumfpjedbji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etlcuoaumfpjedbji.exe ." lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\etlcuoaumfpjedbji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndwohcpkdxidzzyhhh.exe ." lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlcsjcngxpyrljgn = "xlcsjcngxpyrljgn.exe ." f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pzmylahwjxcr = "ldysnkzwrnaxvxyjlnfa.exe" lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oznaoemcqflbs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etlcuoaumfpjedbji.exe ." lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlcsjcngxpyrljgn = "ypjcwsgcwrdzwxxhija.exe ." lpwcjs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\etlcuoaumfpjedbji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etlcuoaumfpjedbji.exe ." lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oznaoemcqflbs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etlcuoaumfpjedbji.exe ." lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlcsjcngxpyrljgn = "atpkgeusolzxwzbnqtmid.exe ." lpwcjs.exe Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfvkascukbjburn = "etlcuoaumfpjedbji.exe" lpwcjs.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lpwcjs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lpwcjs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lpwcjs.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" lpwcjs.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 36 whatismyip.everdot.org 38 www.whatismyip.ca 16 www.whatismyip.ca 20 whatismyipaddress.com 23 www.showmyipaddress.com 32 www.whatismyip.ca 33 whatismyip.everdot.org -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\cbdegkgkmpjnsbjbktsuvxb.bdg lpwcjs.exe File created C:\Windows\SysWOW64\cbdegkgkmpjnsbjbktsuvxb.bdg lpwcjs.exe File opened for modification C:\Windows\SysWOW64\pzmylahwjxcrhbuxrlviuhwdsftyndxqtn.req lpwcjs.exe File created C:\Windows\SysWOW64\pzmylahwjxcrhbuxrlviuhwdsftyndxqtn.req lpwcjs.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\cbdegkgkmpjnsbjbktsuvxb.bdg lpwcjs.exe File created C:\Program Files (x86)\cbdegkgkmpjnsbjbktsuvxb.bdg lpwcjs.exe File opened for modification C:\Program Files (x86)\pzmylahwjxcrhbuxrlviuhwdsftyndxqtn.req lpwcjs.exe File created C:\Program Files (x86)\pzmylahwjxcrhbuxrlviuhwdsftyndxqtn.req lpwcjs.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\pzmylahwjxcrhbuxrlviuhwdsftyndxqtn.req lpwcjs.exe File created C:\Windows\pzmylahwjxcrhbuxrlviuhwdsftyndxqtn.req lpwcjs.exe File opened for modification C:\Windows\cbdegkgkmpjnsbjbktsuvxb.bdg lpwcjs.exe File created C:\Windows\cbdegkgkmpjnsbjbktsuvxb.bdg lpwcjs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lpwcjs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lpwcjs.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings lpwcjs.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings lpwcjs.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3236 lpwcjs.exe 3236 lpwcjs.exe 3236 lpwcjs.exe 3236 lpwcjs.exe 3236 lpwcjs.exe 3236 lpwcjs.exe 3236 lpwcjs.exe 3236 lpwcjs.exe 3236 lpwcjs.exe 3236 lpwcjs.exe 3236 lpwcjs.exe 3236 lpwcjs.exe 3236 lpwcjs.exe 3236 lpwcjs.exe 3236 lpwcjs.exe 3236 lpwcjs.exe 3236 lpwcjs.exe 3236 lpwcjs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2124 lpwcjs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3236 lpwcjs.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2952 wrote to memory of 3236 2952 f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe 84 PID 2952 wrote to memory of 3236 2952 f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe 84 PID 2952 wrote to memory of 3236 2952 f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe 84 PID 2952 wrote to memory of 2124 2952 f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe 85 PID 2952 wrote to memory of 2124 2952 f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe 85 PID 2952 wrote to memory of 2124 2952 f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe 85 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" lpwcjs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lpwcjs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lpwcjs.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" lpwcjs.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" lpwcjs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe"C:\Users\Admin\AppData\Local\Temp\f569a61883e6331826ceea45fac8063b8b1e8706cd3edf686afc64cd61e362eaN.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\lpwcjs.exe"C:\Users\Admin\AppData\Local\Temp\lpwcjs.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3236
-
-
C:\Users\Admin\AppData\Local\Temp\lpwcjs.exe"C:\Users\Admin\AppData\Local\Temp\lpwcjs.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:2124
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2272
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5ea422d4eddc53dfa8dd4d24cd40be740
SHA13be38245fc4fd597742333e4981110d7800f0232
SHA256644af78a763b653a689bd4178f125a3c72cde6698efca5443560389c12f510bb
SHA512c601d59ec646459808307448dc6455a54aa208f4655bda3da6c7e7207609ac164be921e31cf307e876b73ce7ceb6253d54e2a7bf2a4b73775f4a259b3069cdbc
-
Filesize
280B
MD55fc2e76c861f0e6551878db0831b3f6b
SHA111081735c6d9fb795e440ef2dc3466ab2355d04c
SHA25617fe7ca7f5685539b781b455469139dc09c0c0e6eb54e435faf45e0ccef3d229
SHA51274e1d49fd88b36f27c6f892c27ca9d1c2a9b3637304ab67063f67f39713b0da597070f80295d1495cd85e4a8d1ef93ad2af8718579989d9a545332352ca12e1b
-
Filesize
280B
MD50655cfb658546fee94e1163d3e721add
SHA1626c60f733caea3d711ed40ed490e3c7bef159e4
SHA25660217f10ad8a9904fb0137753cb39acc87136a658fe37f68511f1e59bbf0fca7
SHA512349d145e71c4ba272f75e91db5b68794c3729acb960df2e9c2a297d55b82b9c7daa6102a50505a23714b0a6b51492136448bd67599e2082cc8f5d26d72f980a1
-
Filesize
280B
MD580aa56e95d31256f876d25c78c977906
SHA1bc23b29860a2d13a1e829711eb7db82d0214e5f7
SHA256da801d9fecb703554e8b1f160bab7a7f84b0ea14624b81c7399c3938d2ba8ce9
SHA51246308704c759f969027589f50bde1692f82059998cb4817f390cef9ccdf66cfc9d49c44df2c03c6f8b560adfb72eb1a8a7f723c6c42372bb57af69846c8c6476
-
Filesize
280B
MD53ffb2d5b4e85d62da4c11322adc4e9d5
SHA18fc20cb9021bafb2bb832bd17d151cb711a1334b
SHA256d7754a84e8287072f4fc53a4c66705d2c9184645aab2b2e348084daa78eaeb98
SHA5126fbad0e08e0c27acdb0794fb13df4f90073d475f678ccc31304c55fb2b82a6d59aab83e2673f9094da5f47ebb26f04a0a1095fb1deee44fbe4edc23ef6ca04e4
-
Filesize
724KB
MD5bbad29dc5c72e6181291e0700d909c1f
SHA111ee7d29a1f74b65402919b2fb1e3c6a7e0a15f2
SHA256d2885bf9441e0acd82bd2f508525189d6eaa7c636b5cf47f62fdc668c1fce10e
SHA512169d99552ad2cce471a7d596e84073011495cfb7fab8b4710218361f0ff8bb8c5f6aec8e146a000ea7906e7bcb0e504a93b20329e01317f6b25e9cceba704407
-
Filesize
280B
MD5c30425e0ec292971bf107a06c89d6a2e
SHA183e2d46797dc161cbc3e9a1d9dc2385745b67391
SHA2565959c3b9630ff13b1e7ee4136d6c3c04ccdbaa9e69974f049caad366553f1329
SHA512601137d04d62292fb2e796407757780d5e04eaca69ecfe8ef2d3cb10cc2fdfb5bb0ab33da315130b9f1bf01e4057e09527fbc4c8c61a50d8fc95124fbb7cea96
-
Filesize
280B
MD5c48791eb0a3e22364751181527eec9f1
SHA1d5a22a665be3082bbf5017a48611c988d5afad0b
SHA2567bc15edb4888bd3bf17064cd070843c0a1bda15d99bd6d5d776cb8fa8ff49c1a
SHA51205753a983269bfb0339cf761bd05c60e6168864d6f0ec61c2a07af8c6ae5f817bd833c75c1f1fa843a346c92825b6f672fe1c2d241f60ebca23f21504cada258
-
Filesize
4KB
MD507563b4adb543c481343f6472ecd3a37
SHA1c477ae6de811adf979bfe2a12d2dbc44c6fdcf30
SHA2563eeabc88f181baeee0fda9ec0e9f701adcf397355a25bc11eb09c60bf0895f82
SHA5122fd7363d125ebaaf2f030a88f7b31346f32c74fb17110a207330f8ee6381ea74a4c67c71a7ccefd16bd504864a1e5f59423dd7badd9dc1b9feac7a6a255dbf49