Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26/03/2025, 12:42
Behavioral task
behavioral1
Sample
dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe
Resource
win7-20240729-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe
-
Size
696KB
-
MD5
a79189ec6015e24cb01ae28574e355b3
-
SHA1
fa795dff6bcf25e8dc707829c19f2fe6377055fb
-
SHA256
dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a
-
SHA512
72a7992caa811cce783cf76499658e1d853552cd589cc7297f0a3cff8cbbfb14dc9b1d11332856b6a33f3c1225c62d10db7a2e967d782f20f6941ed78370ae6c
-
SSDEEP
6144:I3Be8ySm8hQAAIfFrRXuEE+0l97mKwKRwHVqF86JQPDHDdx/Qtqa:h/zkFF+EExZmKbRQV4PJQPDHvd
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" gvszmt.exe -
UAC bypass 3 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gvszmt.exe -
Adds policy Run key to start application 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\izyhwfhu = "ijslkdpmyqarucllfq.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\izyhwfhu = "srypmdnisiqfgmtr.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjflx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjupqlzymgslqalnjwcf.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjflx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjupqlzymgslqalnjwcf.exe" gvszmt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjflx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvfzztgerkvnraklgsx.exe" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\izyhwfhu = "gjupqlzymgslqalnjwcf.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\izyhwfhu = "tvfzztgerkvnraklgsx.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjflx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srypmdnisiqfgmtr.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjflx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzhzxpawhyhxzgong.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjflx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzlhjfuujerlrcorocjnz.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\izyhwfhu = "srypmdnisiqfgmtr.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjflx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijslkdpmyqarucllfq.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\izyhwfhu = "vzlhjfuujerlrcorocjnz.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\izyhwfhu = "zzhzxpawhyhxzgong.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjflx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvfzztgerkvnraklgsx.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\izyhwfhu = "vzlhjfuujerlrcorocjnz.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjflx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvfzztgerkvnraklgsx.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjflx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srypmdnisiqfgmtr.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vjflx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijslkdpmyqarucllfq.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\izyhwfhu = "zzhzxpawhyhxzgong.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\izyhwfhu = "tvfzztgerkvnraklgsx.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\izyhwfhu = "srypmdnisiqfgmtr.exe" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gvszmt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\izyhwfhu = "tvfzztgerkvnraklgsx.exe" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gvszmt.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gvszmt.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe -
Executes dropped EXE 2 IoCs
pid Process 2696 gvszmt.exe 2972 gvszmt.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power gvszmt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend gvszmt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc gvszmt.exe -
Loads dropped DLL 4 IoCs
pid Process 2692 dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe 2692 dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe 2692 dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe 2692 dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gvszmt = "gjupqlzymgslqalnjwcf.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gvszmt = "ijslkdpmyqarucllfq.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tjhpdlm = "gjupqlzymgslqalnjwcf.exe ." dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\slmxozdswg = "gjupqlzymgslqalnjwcf.exe ." gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\slmxozdswg = "gjupqlzymgslqalnjwcf.exe ." gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gvszmt = "zzhzxpawhyhxzgong.exe" gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\zrrbrbesv = "zzhzxpawhyhxzgong.exe" gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\slmxozdswg = "srypmdnisiqfgmtr.exe ." gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gvszmt = "gjupqlzymgslqalnjwcf.exe" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tjhpdlm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjupqlzymgslqalnjwcf.exe ." dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tjhpdlm = "ijslkdpmyqarucllfq.exe ." gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\slmxozdswg = "tvfzztgerkvnraklgsx.exe ." gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gvszmt = "tvfzztgerkvnraklgsx.exe" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gvszmt = "ijslkdpmyqarucllfq.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kfivobhyequf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvfzztgerkvnraklgsx.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhjvnzeuzkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srypmdnisiqfgmtr.exe ." gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\zrrbrbesv = "tvfzztgerkvnraklgsx.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gvszmt = "srypmdnisiqfgmtr.exe" gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\zrrbrbesv = "gjupqlzymgslqalnjwcf.exe" gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\slmxozdswg = "tvfzztgerkvnraklgsx.exe ." gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\gvszmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzhzxpawhyhxzgong.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhjvnzeuzkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzlhjfuujerlrcorocjnz.exe ." gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\zrrbrbesv = "srypmdnisiqfgmtr.exe" gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\gvszmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijslkdpmyqarucllfq.exe" gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\slmxozdswg = "vzlhjfuujerlrcorocjnz.exe ." gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tjhpdlm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzhzxpawhyhxzgong.exe ." gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\zrrbrbesv = "gjupqlzymgslqalnjwcf.exe" gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\gvszmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjupqlzymgslqalnjwcf.exe" gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\slmxozdswg = "ijslkdpmyqarucllfq.exe ." gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\zrrbrbesv = "srypmdnisiqfgmtr.exe" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\slmxozdswg = "vzlhjfuujerlrcorocjnz.exe ." gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kfivobhyequf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzhzxpawhyhxzgong.exe" gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tjhpdlm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijslkdpmyqarucllfq.exe ." gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\zrrbrbesv = "zzhzxpawhyhxzgong.exe" gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\gvszmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijslkdpmyqarucllfq.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kfivobhyequf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srypmdnisiqfgmtr.exe" gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\zrrbrbesv = "vzlhjfuujerlrcorocjnz.exe" gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\slmxozdswg = "ijslkdpmyqarucllfq.exe ." gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kfivobhyequf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzhzxpawhyhxzgong.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhjvnzeuzkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvfzztgerkvnraklgsx.exe ." gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gvszmt = "vzlhjfuujerlrcorocjnz.exe" gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\gvszmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvfzztgerkvnraklgsx.exe" gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\zrrbrbesv = "ijslkdpmyqarucllfq.exe" gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tjhpdlm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srypmdnisiqfgmtr.exe ." gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tjhpdlm = "gjupqlzymgslqalnjwcf.exe ." gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tjhpdlm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzlhjfuujerlrcorocjnz.exe ." gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kfivobhyequf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijslkdpmyqarucllfq.exe" gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\slmxozdswg = "srypmdnisiqfgmtr.exe ." gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\gvszmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjupqlzymgslqalnjwcf.exe" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\gvszmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzlhjfuujerlrcorocjnz.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gvszmt = "gjupqlzymgslqalnjwcf.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tjhpdlm = "ijslkdpmyqarucllfq.exe ." dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gvszmt = "vzlhjfuujerlrcorocjnz.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhjvnzeuzkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzhzxpawhyhxzgong.exe ." gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tjhpdlm = "gjupqlzymgslqalnjwcf.exe ." gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kfivobhyequf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzlhjfuujerlrcorocjnz.exe" gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tjhpdlm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzlhjfuujerlrcorocjnz.exe ." gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhjvnzeuzkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijslkdpmyqarucllfq.exe ." gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tjhpdlm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvfzztgerkvnraklgsx.exe ." gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\slmxozdswg = "zzhzxpawhyhxzgong.exe ." gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kfivobhyequf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijslkdpmyqarucllfq.exe" gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\zrrbrbesv = "tvfzztgerkvnraklgsx.exe" gvszmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhjvnzeuzkn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzhzxpawhyhxzgong.exe ." gvszmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\gvszmt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzlhjfuujerlrcorocjnz.exe" gvszmt.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gvszmt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gvszmt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gvszmt.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" gvszmt.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 www.showmyipaddress.com 6 www.whatismyip.ca 9 whatismyip.everdot.org 13 whatismyipaddress.com -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\slmxozdswgirmmnfruqjkvmxbquegpkk.dps gvszmt.exe File created C:\Windows\SysWOW64\slmxozdswgirmmnfruqjkvmxbquegpkk.dps gvszmt.exe File opened for modification C:\Windows\SysWOW64\xfvvbbuyrqhfpeubcufnd.jjc gvszmt.exe File created C:\Windows\SysWOW64\xfvvbbuyrqhfpeubcufnd.jjc gvszmt.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\xfvvbbuyrqhfpeubcufnd.jjc gvszmt.exe File created C:\Program Files (x86)\xfvvbbuyrqhfpeubcufnd.jjc gvszmt.exe File opened for modification C:\Program Files (x86)\slmxozdswgirmmnfruqjkvmxbquegpkk.dps gvszmt.exe File created C:\Program Files (x86)\slmxozdswgirmmnfruqjkvmxbquegpkk.dps gvszmt.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\slmxozdswgirmmnfruqjkvmxbquegpkk.dps gvszmt.exe File created C:\Windows\slmxozdswgirmmnfruqjkvmxbquegpkk.dps gvszmt.exe File opened for modification C:\Windows\xfvvbbuyrqhfpeubcufnd.jjc gvszmt.exe File created C:\Windows\xfvvbbuyrqhfpeubcufnd.jjc gvszmt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gvszmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gvszmt.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe 2696 gvszmt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2696 gvszmt.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2696 2692 dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe 30 PID 2692 wrote to memory of 2696 2692 dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe 30 PID 2692 wrote to memory of 2696 2692 dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe 30 PID 2692 wrote to memory of 2696 2692 dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe 30 PID 2692 wrote to memory of 2972 2692 dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe 31 PID 2692 wrote to memory of 2972 2692 dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe 31 PID 2692 wrote to memory of 2972 2692 dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe 31 PID 2692 wrote to memory of 2972 2692 dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe 31 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gvszmt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gvszmt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" gvszmt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" gvszmt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" gvszmt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gvszmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" gvszmt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe"C:\Users\Admin\AppData\Local\Temp\dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\gvszmt.exe"C:\Users\Admin\AppData\Local\Temp\gvszmt.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\gvszmt.exe"C:\Users\Admin\AppData\Local\Temp\gvszmt.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- System policy modification
PID:2972
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD57ad37d18b9c4f82a333310bdddea8b9f
SHA17ba2ac6c0bcc71572ee550af082a7b366ffa8172
SHA25629af93ebde1ee4b84dec4000db45124e91c8c96b5255db554b867e58ccacc34b
SHA5128c03e72d3d76fb70656fed9a2d79d91e6e23e0ab4715871fda7c2a7b2462df1a9408541839babb127061d2324d9babc9db6e8f962d62346bdad4fb2976a0f89e
-
Filesize
1.2MB
MD5e50ab7103facb30382f7edfbf0deb100
SHA162b5d8d5f102d52e38cac4989db38271937f6755
SHA256c8960a32f17786d7b06905556b54cbd805894573c3ca3a8d2611ddf13d4dfaa7
SHA5120f7a805fec6bfbd22917912536ada0d9a6c20991b9d495d0ea11e04b6abb975659a219b63325c24f7e1c7e14b821cdd25c100936a73ade8c8b43b9bd74f4d586
-
Filesize
3KB
MD519e5b5ef9eda9b313c9f8dcc80262254
SHA135a4d69fa73546830cfe0078d79433cd9d5589e0
SHA25635c4f3da1e0d2f70d918607a495724ce1ef08c03a82edf46674a2a42df0121e6
SHA51221ca2480e5dac43d095e0f632e703f3bf8c4515d0a8a9c66ec3f75b8b4079101898872306381945588287afad78caec9904be0bfc3bde62d9bd21a0e7ea603ee
-
Filesize
272B
MD50db56c0570ba4de5ca06cfefd7e3d7c6
SHA12f82fcad3f2a711db0ffe667f31be2cee63ea8d8
SHA25669100c766f682246dc5c92a24b3175b83ed710782c699ff4b45e0962c268bca8
SHA512af3cc2c1f58efedb11d60c3d26b903c7cd0a9132ef41329eac3c07faffa257547a8feb349d2a45087ae070943a75f5d621087171f6e6846c41ae7fc9d66d4b61
-
Filesize
272B
MD509d8402cfb633af02561826c8f924e6e
SHA1a094b087bbe2265a1b017b1de9a04e9d031d5f95
SHA2563129c13b2f5f828db67e16133289e9c3a8c2ead148ed63058dd951ec9cb1262c
SHA5120857d4524b385739bdcb3fb500dbce63dcbd0d91a378ab0ad9d81bf49ad63feca42c7ff4f2334144aadc5d84a07dd7b97febe87645943dc0a80626ca50967361
-
Filesize
272B
MD51823a25e5591aa9e5d963483b7f8b756
SHA1413ce17432a6287ac2243bdf6343fb5e6216e4cc
SHA256b817ba0310e5313d751abc521e736e7a7284351fe0f820276291da49b550472b
SHA512aa80e1d9fd05ce4ac22ad67077b6e76aa21afd0579fb3d2c28e198f5869ff8df562af8485fb35f190b1b4a51a2161ac3a5d66f1c523367e070f4518f78084ff0
-
Filesize
272B
MD59202491a8db0c0ea63a343da28137b93
SHA1a41801e38227ba96f005a80814677b5d96f7cb81
SHA2562a25cfc958b16fd0ee83711a7b47e5599a658c0694027c53bf0a5d7f981e1051
SHA51285cddeaf789f6ea4daa75957bb5a7ace9fd6f251a0979f102f6d0e8c2907bad744b8ceed427e271d35e45b6f79c743a64fceb7884877f2533d8444c7c1283aa7