Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22/11/2024, 18:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe
Resource
win7-20240708-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe
-
Size
3.2MB
-
MD5
d1824b06f3bd783c114ad66173ac58c5
-
SHA1
24fd0f8539cbd0ab4bc509ecc7e0f345608dc47b
-
SHA256
9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47
-
SHA512
534702ef7c2dddb8b62df7cc7b6afc01565de3032fbf8a1f0ddaff6d4cf6b880f66943ea4cf754067d60b45ab9578b80917432db5e7e921b9dcbbe34d95ccda9
-
SSDEEP
12288:rXgvmzFHi0mo5aH0qMzd58p7FiKPJQPDHvd3:rXgvOHi0mGaH0qSd+Fl4V3
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" acfmr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" acfmr.exe -
Adds policy Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\losagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aslidztmoedqeydnxsogz.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ekrclvdka = "xkyqgxmaxicktiin.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\losagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\esharjzomytcmcdjp.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ekrclvdka = "aslidztmoedqeydnxsogz.exe" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ekrclvdka = "ncsmexoedqmwhyahog.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ekrclvdka = "esharjzomytcmcdjp.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\losagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkyqgxmaxicktiin.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ekrclvdka = "lcuqkfyqrgeqdwajsmhy.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ekrclvdka = "esharjzomytcmcdjp.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\losagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncsmexoedqmwhyahog.exe" acfmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\losagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncsmexoedqmwhyahog.exe" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ekrclvdka = "lcuqkfyqrgeqdwajsmhy.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\losagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcuqkfyqrgeqdwajsmhy.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ekrclvdka = "xkyqgxmaxicktiin.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ekrclvdka = "aslidztmoedqeydnxsogz.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\losagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncsmexoedqmwhyahog.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\losagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aslidztmoedqeydnxsogz.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\losagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkyqgxmaxicktiin.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ekrclvdka = "ncsmexoedqmwhyahog.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\losagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofatnfwwkhsewzhpic.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ekrclvdka = "aslidztmoedqeydnxsogz.exe" acfmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\losagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcuqkfyqrgeqdwajsmhy.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\losagn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofatnfwwkhsewzhpic.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ekrclvdka = "yofatnfwwkhsewzhpic.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ekrclvdka = "yofatnfwwkhsewzhpic.exe" acfmr.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" acfmr.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" acfmr.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" acfmr.exe -
Executes dropped EXE 2 IoCs
pid Process 2636 acfmr.exe 2376 acfmr.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power acfmr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend acfmr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc acfmr.exe -
Loads dropped DLL 4 IoCs
pid Process 2092 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe 2092 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe 2092 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe 2092 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nsyiqzgm = "lcuqkfyqrgeqdwajsmhy.exe ." acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nsyiqzgm = "yofatnfwwkhsewzhpic.exe ." acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pyiwivgqjqgk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aslidztmoedqeydnxsogz.exe ." acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ychqxfl = "yofatnfwwkhsewzhpic.exe" acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ychqxfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkyqgxmaxicktiin.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pyiwivgqjqgk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofatnfwwkhsewzhpic.exe ." 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyjylzlwqypua = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofatnfwwkhsewzhpic.exe" acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ychqxfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncsmexoedqmwhyahog.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pyiwivgqjqgk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\esharjzomytcmcdjp.exe ." acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sajwhtdmekz = "xkyqgxmaxicktiin.exe ." acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ychqxfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkyqgxmaxicktiin.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pyiwivgqjqgk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\esharjzomytcmcdjp.exe ." acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ychqxfl = "esharjzomytcmcdjp.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ychqxfl = "xkyqgxmaxicktiin.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ychqxfl = "lcuqkfyqrgeqdwajsmhy.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pyiwivgqjqgk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofatnfwwkhsewzhpic.exe ." acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ychqxfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofatnfwwkhsewzhpic.exe" acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\xemyitckbg = "esharjzomytcmcdjp.exe" acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sajwhtdmekz = "lcuqkfyqrgeqdwajsmhy.exe ." acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nsyiqzgm = "ncsmexoedqmwhyahog.exe ." 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sajwhtdmekz = "aslidztmoedqeydnxsogz.exe ." 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sajwhtdmekz = "ncsmexoedqmwhyahog.exe ." acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ychqxfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofatnfwwkhsewzhpic.exe" acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\xemyitckbg = "lcuqkfyqrgeqdwajsmhy.exe" acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nsyiqzgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkyqgxmaxicktiin.exe ." acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyjylzlwqypua = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncsmexoedqmwhyahog.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ychqxfl = "ncsmexoedqmwhyahog.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pyiwivgqjqgk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkyqgxmaxicktiin.exe ." acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ychqxfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aslidztmoedqeydnxsogz.exe" acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nsyiqzgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcuqkfyqrgeqdwajsmhy.exe ." acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ychqxfl = "esharjzomytcmcdjp.exe" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pyiwivgqjqgk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkyqgxmaxicktiin.exe ." acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyjylzlwqypua = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkyqgxmaxicktiin.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyjylzlwqypua = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aslidztmoedqeydnxsogz.exe" acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nsyiqzgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncsmexoedqmwhyahog.exe ." acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sajwhtdmekz = "esharjzomytcmcdjp.exe ." acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\xemyitckbg = "lcuqkfyqrgeqdwajsmhy.exe" acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ychqxfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcuqkfyqrgeqdwajsmhy.exe" acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sajwhtdmekz = "xkyqgxmaxicktiin.exe ." acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ychqxfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\esharjzomytcmcdjp.exe" acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nsyiqzgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkyqgxmaxicktiin.exe ." acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\xemyitckbg = "aslidztmoedqeydnxsogz.exe" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nsyiqzgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofatnfwwkhsewzhpic.exe ." 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nsyiqzgm = "lcuqkfyqrgeqdwajsmhy.exe ." acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyjylzlwqypua = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncsmexoedqmwhyahog.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ychqxfl = "esharjzomytcmcdjp.exe" acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\xemyitckbg = "aslidztmoedqeydnxsogz.exe" acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nsyiqzgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aslidztmoedqeydnxsogz.exe ." acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\xemyitckbg = "ncsmexoedqmwhyahog.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ychqxfl = "lcuqkfyqrgeqdwajsmhy.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyjylzlwqypua = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aslidztmoedqeydnxsogz.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nsyiqzgm = "xkyqgxmaxicktiin.exe ." acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ychqxfl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aslidztmoedqeydnxsogz.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nsyiqzgm = "aslidztmoedqeydnxsogz.exe ." acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nsyiqzgm = "esharjzomytcmcdjp.exe ." acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pyiwivgqjqgk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofatnfwwkhsewzhpic.exe ." acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nsyiqzgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofatnfwwkhsewzhpic.exe ." acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sajwhtdmekz = "esharjzomytcmcdjp.exe ." acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\xemyitckbg = "esharjzomytcmcdjp.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nsyiqzgm = "xkyqgxmaxicktiin.exe ." acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nsyiqzgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yofatnfwwkhsewzhpic.exe ." acfmr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\xemyitckbg = "yofatnfwwkhsewzhpic.exe" acfmr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ychqxfl = "yofatnfwwkhsewzhpic.exe" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sajwhtdmekz = "yofatnfwwkhsewzhpic.exe ." acfmr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" acfmr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" acfmr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" acfmr.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 whatismyip.everdot.org 11 whatismyipaddress.com 3 www.showmyipaddress.com 8 www.whatismyip.ca -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\cazcdffemingaalbrsusruv.xwe acfmr.exe File opened for modification C:\Windows\SysWOW64\pyiwivgqjqgkpawxykxgqeqdoyryosxief.sfo acfmr.exe File created C:\Windows\SysWOW64\pyiwivgqjqgkpawxykxgqeqdoyryosxief.sfo acfmr.exe File opened for modification C:\Windows\SysWOW64\cazcdffemingaalbrsusruv.xwe acfmr.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\cazcdffemingaalbrsusruv.xwe acfmr.exe File created C:\Program Files (x86)\cazcdffemingaalbrsusruv.xwe acfmr.exe File opened for modification C:\Program Files (x86)\pyiwivgqjqgkpawxykxgqeqdoyryosxief.sfo acfmr.exe File created C:\Program Files (x86)\pyiwivgqjqgkpawxykxgqeqdoyryosxief.sfo acfmr.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\cazcdffemingaalbrsusruv.xwe acfmr.exe File created C:\Windows\cazcdffemingaalbrsusruv.xwe acfmr.exe File opened for modification C:\Windows\pyiwivgqjqgkpawxykxgqeqdoyryosxief.sfo acfmr.exe File created C:\Windows\pyiwivgqjqgkpawxykxgqeqdoyryosxief.sfo acfmr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acfmr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acfmr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe 2636 acfmr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2636 acfmr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2636 2092 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe 30 PID 2092 wrote to memory of 2636 2092 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe 30 PID 2092 wrote to memory of 2636 2092 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe 30 PID 2092 wrote to memory of 2636 2092 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe 30 PID 2092 wrote to memory of 2376 2092 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe 31 PID 2092 wrote to memory of 2376 2092 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe 31 PID 2092 wrote to memory of 2376 2092 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe 31 PID 2092 wrote to memory of 2376 2092 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe 31 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" acfmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" acfmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System acfmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" acfmr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" acfmr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" acfmr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe"C:\Users\Admin\AppData\Local\Temp\9a6adbd778780648e6b465adecad694bd5a61355508c6b2cd87f9115fa349a47.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\acfmr.exe"C:\Users\Admin\AppData\Local\Temp\acfmr.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2636
-
-
C:\Users\Admin\AppData\Local\Temp\acfmr.exe"C:\Users\Admin\AppData\Local\Temp\acfmr.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- System policy modification
PID:2376
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5f27e9fa656fc136d88c57b99d9b79914
SHA18264ff6b3b476fbd2c18c92282b376af2331cfeb
SHA256912b7cc240b4cbba967481d02a505a86b003a58bab97396cd6fe0d21795b10d0
SHA512afe9ac939ec3ca0196d2283c728b0fd65248ddaaf5c63ffb8e980f10159a549c52cfd790d72cb0c9eb3290d6e66fe9d56b2461850e950a0bede56bff329373ff
-
Filesize
280B
MD52a66ad7a85466e6783a5101bf75d3b6f
SHA1079a8ef614e95b60c56a82a23d99511b6b89153f
SHA256e2aefdcb6df97a71a3dd01cd8ef2ae2655fe624e627e3ea027db1bcce0f7a46f
SHA512ec12578bec65d16255e2ea3b4dbb85e491afe4fa48480f67e8a9f291de6e6c3a8a21672936615cb382c912b92e6f45e9954bb2e2ffcbf39a43037f14622245ef
-
Filesize
280B
MD5e9199440c782ab125a76283b3379f4f5
SHA13c533978c4e81aab1545753ce13517a70a7cad1b
SHA2568f6b6560708cab15e8cc6ac50ca6cdfe4b8b283dac0a8baf0c96511d89f78fed
SHA5123c9a8ddd8dfb6564e0459a8f417af7a42d4a31961d1155c19eee646482cfc221728d209d481f02a45bf59d5df1bbe97ec243685d26f6a2f5e956f1357d5ffcb4
-
Filesize
280B
MD5b289b62e8920922b1a4b8efcc0790343
SHA198430fcbbd99ff5ab57ec66e4b0875254e0b0494
SHA256e29056549b81c36f3019be02dfe19f1e9665af9c5f9893f01f799a234a0067b4
SHA512bbc029d8e38f6775fc87fedb59feb5aa0b2cf094711dc69d9788c7116bf4e3ec1a1c5098c6b6307e11e940f65af6d419a54143e205d961f9921b7e589fc6a40f
-
Filesize
280B
MD5fe515c8a5cc58174f0252fc9065b97a2
SHA1e78e639a0e7312e2628fe0544741efc27c3794cb
SHA2560d3bef2f84df5901e42de70f7dc4b288b81db4fa8500f18e22fb6d5115360a99
SHA51272f2c2acb97a54077bddb6546b72146f6dbef9b950a18abd99340455f1ff8e709ad683647e1c9ee2e2a6b74138296f1e74066f985fdb3232a2d42e56ec619d19
-
Filesize
280B
MD5dd1360867dfa320a73bc55241ee9f94e
SHA1c31aa82a04468139aba1fdd2920b4fd24cbd8732
SHA25615f2f0ef0eed3e4bd7a9b48d54a4ac141b3cfbc3dc9832c2b438d869e1df9bf5
SHA51206b4566881531d24f7d5147542bf5d5776776be6f408fd9df655e46d8dcb71868ff87815f5f06ac0bd84ccf826aa41ca08ea9283bfb17f69c1a45a3d9488ff06
-
Filesize
280B
MD5a515c219db73b37ec2c2d938c607e6e6
SHA1104ebcb37c212d580020cf86efbc8bbdc56a4e89
SHA25664de022e3f7ff2f359906761e830e053d5980cc1f8f7e5399b554c8461e36c78
SHA512be07aac09efed4693a1abcb15a97d4afc634cf8ff82480ef2e74de19ad53d385c38031373c29869ad5f665d570c1d362253a8e400e4f7d2c674acc78d54869c4
-
Filesize
280B
MD5d13077aa7f5224cab3ae04dbb1955e56
SHA1e881e0dae8e960b3574af3884cbaf1c00bfa43be
SHA25609bf1ea9fee85fea805805d8c1c58fabc1d28af2d6005840c1a9521d716c6714
SHA512bf7a45607b8ced55e81cc0959281b8d1c54fb5a6b07ccdda7a124f6463f2404921ca70075f5686fdf97b6cededde50289c50b29b1d87999bc0eaabe70b9aeb9f
-
Filesize
4KB
MD5d015ec1b85f5c50f1ed6d1f710a5fa43
SHA1a4f6959af980860f5929194482815b659013898b
SHA256bff49c9ddd2330115e6884c91b9234512c7c1d499aeb7e1bcc79fad25062a750
SHA512a17868c3b63d1fac69c5f27a9510eaf2306ef56680483700d7f4d5e4b9f11158f79bbae22b328554fb60aeb07add495a49bda8980e6879c6823a535b1779557a
-
Filesize
4.5MB
MD5abd2220951cfcc2478f58a394f3748a5
SHA14e0c8422530f7d192d95e25496e4148e42510f6c
SHA256c4493aa3b8b1d545b70b7d9ca1caa41f235b4f39be560c561d69089edb7632f3
SHA5125eb317869f73be67a635094ff0a5bb107e8d576bc4df21031e04482ae13a48e7ce2518a604ae0b15c192585e133fefd1f91232f64f6bf54b55454425f65a9b63