Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2025, 12:42
Behavioral task
behavioral1
Sample
dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe
Resource
win7-20240729-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe
-
Size
696KB
-
MD5
a79189ec6015e24cb01ae28574e355b3
-
SHA1
fa795dff6bcf25e8dc707829c19f2fe6377055fb
-
SHA256
dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a
-
SHA512
72a7992caa811cce783cf76499658e1d853552cd589cc7297f0a3cff8cbbfb14dc9b1d11332856b6a33f3c1225c62d10db7a2e967d782f20f6941ed78370ae6c
-
SSDEEP
6144:I3Be8ySm8hQAAIfFrRXuEE+0l97mKwKRwHVqF86JQPDHDdx/Qtqa:h/zkFF+EExZmKbRQV4PJQPDHvd
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" orwdit.exe -
UAC bypass 3 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" orwdit.exe -
Adds policy Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdnzjzioeja = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofytmldsrffpixgqudkb.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdnzjzioeja = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvplffyoodepjzjuzjrjd.exe" orwdit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdnzjzioeja = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brjdvtkywjirjxforzf.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdqfslxgzhbfsb = "qfwpgdtgdpnvmzgoqx.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdnzjzioeja = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvldtpeqmxubrdjqr.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdqfslxgzhbfsb = "hvldtpeqmxubrdjqr.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdqfslxgzhbfsb = "hvldtpeqmxubrdjqr.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdqfslxgzhbfsb = "anctidrcxhdjyjou.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdqfslxgzhbfsb = "dvplffyoodepjzjuzjrjd.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdqfslxgzhbfsb = "ofytmldsrffpixgqudkb.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdqfslxgzhbfsb = "dvplffyoodepjzjuzjrjd.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdnzjzioeja = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfwpgdtgdpnvmzgoqx.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdqfslxgzhbfsb = "brjdvtkywjirjxforzf.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdqfslxgzhbfsb = "ofytmldsrffpixgqudkb.exe" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdqfslxgzhbfsb = "brjdvtkywjirjxforzf.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdqfslxgzhbfsb = "brjdvtkywjirjxforzf.exe" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdqfslxgzhbfsb = "anctidrcxhdjyjou.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdnzjzioeja = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anctidrcxhdjyjou.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdnzjzioeja = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvldtpeqmxubrdjqr.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdqfslxgzhbfsb = "qfwpgdtgdpnvmzgoqx.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdnzjzioeja = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anctidrcxhdjyjou.exe" orwdit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdnzjzioeja = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brjdvtkywjirjxforzf.exe" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdnzjzioeja = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brjdvtkywjirjxforzf.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdqfslxgzhbfsb = "ofytmldsrffpixgqudkb.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vdnzjzioeja = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofytmldsrffpixgqudkb.exe" orwdit.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" orwdit.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" orwdit.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe -
Executes dropped EXE 2 IoCs
pid Process 4720 orwdit.exe 4736 orwdit.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager orwdit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys orwdit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc orwdit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power orwdit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys orwdit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc orwdit.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rbnbnfqyqxqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofytmldsrffpixgqudkb.exe ." orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rbnbnfqyqxqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brjdvtkywjirjxforzf.exe ." orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbmzkblsjphj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brjdvtkywjirjxforzf.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbmzkblsjphj = "hvldtpeqmxubrdjqr.exe" orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbmzkblsjphj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anctidrcxhdjyjou.exe" orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vhvlztgqktothrv = "brjdvtkywjirjxforzf.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnbnfqyqxqtf = "anctidrcxhdjyjou.exe ." orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbmzkblsjphj = "dvplffyoodepjzjuzjrjd.exe" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vhvlztgqktothrv = "hvldtpeqmxubrdjqr.exe" orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vhvlztgqktothrv = "dvplffyoodepjzjuzjrjd.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvldtpeqmxubrdjqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvplffyoodepjzjuzjrjd.exe ." orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnbnfqyqxqtf = "brjdvtkywjirjxforzf.exe ." dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnbnfqyqxqtf = "hvldtpeqmxubrdjqr.exe ." orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfwpgdtgdpnvmzgoqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brjdvtkywjirjxforzf.exe" orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vhvlztgqktothrv = "ofytmldsrffpixgqudkb.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbmzkblsjphj = "qfwpgdtgdpnvmzgoqx.exe" orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vhvlztgqktothrv = "brjdvtkywjirjxforzf.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnbnfqyqxqtf = "dvplffyoodepjzjuzjrjd.exe ." orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbmzkblsjphj = "ofytmldsrffpixgqudkb.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnbnfqyqxqtf = "brjdvtkywjirjxforzf.exe ." orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfwpgdtgdpnvmzgoqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofytmldsrffpixgqudkb.exe" orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\anctidrcxhdjyjou = "hvldtpeqmxubrdjqr.exe ." orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfwpgdtgdpnvmzgoqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfwpgdtgdpnvmzgoqx.exe" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vhvlztgqktothrv = "ofytmldsrffpixgqudkb.exe" orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\anctidrcxhdjyjou = "ofytmldsrffpixgqudkb.exe ." orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvldtpeqmxubrdjqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvldtpeqmxubrdjqr.exe ." orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbmzkblsjphj = "ofytmldsrffpixgqudkb.exe" orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\anctidrcxhdjyjou = "qfwpgdtgdpnvmzgoqx.exe ." orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvldtpeqmxubrdjqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfwpgdtgdpnvmzgoqx.exe ." orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvldtpeqmxubrdjqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvplffyoodepjzjuzjrjd.exe ." orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfwpgdtgdpnvmzgoqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anctidrcxhdjyjou.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfwpgdtgdpnvmzgoqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfwpgdtgdpnvmzgoqx.exe" orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\anctidrcxhdjyjou = "brjdvtkywjirjxforzf.exe ." dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbmzkblsjphj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ofytmldsrffpixgqudkb.exe" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbmzkblsjphj = "dvplffyoodepjzjuzjrjd.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfwpgdtgdpnvmzgoqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anctidrcxhdjyjou.exe" orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rbnbnfqyqxqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anctidrcxhdjyjou.exe ." orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\anctidrcxhdjyjou = "anctidrcxhdjyjou.exe ." orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnbnfqyqxqtf = "anctidrcxhdjyjou.exe ." orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rbnbnfqyqxqtf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anctidrcxhdjyjou.exe ." orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnbnfqyqxqtf = "dvplffyoodepjzjuzjrjd.exe ." orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfwpgdtgdpnvmzgoqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvldtpeqmxubrdjqr.exe" orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vhvlztgqktothrv = "qfwpgdtgdpnvmzgoqx.exe" orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\anctidrcxhdjyjou = "brjdvtkywjirjxforzf.exe ." orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\anctidrcxhdjyjou = "brjdvtkywjirjxforzf.exe ." orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbmzkblsjphj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvplffyoodepjzjuzjrjd.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbmzkblsjphj = "anctidrcxhdjyjou.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfwpgdtgdpnvmzgoqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfwpgdtgdpnvmzgoqx.exe" orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbmzkblsjphj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfwpgdtgdpnvmzgoqx.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qfwpgdtgdpnvmzgoqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvplffyoodepjzjuzjrjd.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvldtpeqmxubrdjqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfwpgdtgdpnvmzgoqx.exe ." orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvldtpeqmxubrdjqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvplffyoodepjzjuzjrjd.exe ." dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rbnbnfqyqxqtf = "qfwpgdtgdpnvmzgoqx.exe ." orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvldtpeqmxubrdjqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brjdvtkywjirjxforzf.exe ." orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvldtpeqmxubrdjqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brjdvtkywjirjxforzf.exe ." orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbmzkblsjphj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qfwpgdtgdpnvmzgoqx.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbmzkblsjphj = "hvldtpeqmxubrdjqr.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvldtpeqmxubrdjqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvldtpeqmxubrdjqr.exe ." orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sbmzkblsjphj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hvldtpeqmxubrdjqr.exe" orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vhvlztgqktothrv = "anctidrcxhdjyjou.exe" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sbmzkblsjphj = "qfwpgdtgdpnvmzgoqx.exe" orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vhvlztgqktothrv = "hvldtpeqmxubrdjqr.exe" orwdit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hvldtpeqmxubrdjqr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\anctidrcxhdjyjou.exe ." orwdit.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vhvlztgqktothrv = "dvplffyoodepjzjuzjrjd.exe" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" orwdit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" orwdit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" orwdit.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 32 www.showmyipaddress.com 40 www.whatismyip.ca 42 www.whatismyip.ca 46 www.whatismyip.ca 28 whatismyip.everdot.org 29 whatismyipaddress.com -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\fbzzxbyswpujhbpenbnjh.fjg orwdit.exe File created C:\Windows\SysWOW64\fbzzxbyswpujhbpenbnjh.fjg orwdit.exe File opened for modification C:\Windows\SysWOW64\ahqbkzhmbfvvejiicbyfozixfkzdttch.gaz orwdit.exe File created C:\Windows\SysWOW64\ahqbkzhmbfvvejiicbyfozixfkzdttch.gaz orwdit.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\fbzzxbyswpujhbpenbnjh.fjg orwdit.exe File created C:\Program Files (x86)\fbzzxbyswpujhbpenbnjh.fjg orwdit.exe File opened for modification C:\Program Files (x86)\ahqbkzhmbfvvejiicbyfozixfkzdttch.gaz orwdit.exe File created C:\Program Files (x86)\ahqbkzhmbfvvejiicbyfozixfkzdttch.gaz orwdit.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\fbzzxbyswpujhbpenbnjh.fjg orwdit.exe File created C:\Windows\fbzzxbyswpujhbpenbnjh.fjg orwdit.exe File opened for modification C:\Windows\ahqbkzhmbfvvejiicbyfozixfkzdttch.gaz orwdit.exe File created C:\Windows\ahqbkzhmbfvvejiicbyfozixfkzdttch.gaz orwdit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language orwdit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language orwdit.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings orwdit.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings orwdit.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 4720 orwdit.exe 4720 orwdit.exe 4720 orwdit.exe 4720 orwdit.exe 4720 orwdit.exe 4720 orwdit.exe 4720 orwdit.exe 4720 orwdit.exe 4720 orwdit.exe 4720 orwdit.exe 4720 orwdit.exe 4720 orwdit.exe 4720 orwdit.exe 4720 orwdit.exe 4720 orwdit.exe 4720 orwdit.exe 4720 orwdit.exe 4720 orwdit.exe 4720 orwdit.exe 4720 orwdit.exe 4720 orwdit.exe 4720 orwdit.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4736 orwdit.exe 4720 orwdit.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4720 orwdit.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5672 wrote to memory of 4720 5672 dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe 91 PID 5672 wrote to memory of 4720 5672 dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe 91 PID 5672 wrote to memory of 4720 5672 dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe 91 PID 5672 wrote to memory of 4736 5672 dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe 92 PID 5672 wrote to memory of 4736 5672 dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe 92 PID 5672 wrote to memory of 4736 5672 dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe 92 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" orwdit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" orwdit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" orwdit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" orwdit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" orwdit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer orwdit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe"C:\Users\Admin\AppData\Local\Temp\dfd5f2dabc9e48eaf333b76da901ffa387e0753fd00353b8b03f976f36d3e00a.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5672 -
C:\Users\Admin\AppData\Local\Temp\orwdit.exe"C:\Users\Admin\AppData\Local\Temp\orwdit.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4720
-
-
C:\Users\Admin\AppData\Local\Temp\orwdit.exe"C:\Users\Admin\AppData\Local\Temp\orwdit.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:4736
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5368
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD518f8cb530ae2d85c0b062f2893af7826
SHA166d55cdbf862b219d3212fa0524bf41d8d998f09
SHA25675ba0e70201e22755e81938ec694f086045e958a362827cf10e35254d19ac018
SHA5121a35f78183db0a72666779b352900f2c91a9de4023e8dd5abbb65c2d79c85f46d2a174fa3ecca09529f3f1185511b8123cff3aaa1bfb01bec6372b778ac484bc
-
Filesize
272B
MD5b738ed4617f04574f60f12707bb92ad7
SHA145129a666efbf6fa08cf8f63544fb357195ef081
SHA256ad9394728fc82e7526cd695e54cb242fe275f601b8df353404f48cd3054691b7
SHA5128b4e33e52e92fd008b23d8abf88cf954f696a2869fc82e1a7de8b5f471a2ebf01ceeda3451d257c05a8e7c5af81d27c81bb4456760f28240e410e56c85fd035a
-
Filesize
272B
MD5102acc93991a648a3a5f8404ed96c192
SHA1fc98b2e8b6aaa8427a51ea5ba3e5b6a26c255fac
SHA256f88c6714925a3382b55358e86757091ebf43078523ebbeb630caf08d307f20e9
SHA512c74ff5a7e8c39407add629b2df9b6d7fc7a379bb5cc920eea3c19c4862f53f78f6dfad1cf9f3126b57b69ae03a089fbcceab4fbf0309250187b9c923a9ea0ad9
-
Filesize
272B
MD5156455f242c276d27b6aba6be9a3ac61
SHA1b5530e3d82af183b87f546768a9bd115d138748a
SHA2561eab0400188f9215cd5575af565ff38ee0176c0ed61cfc332e1377a88388cf57
SHA512c170801024f396f834b11624102cff47f6697e5450ba5e52b3f80cbd86bdc53d82eb7c070110b5dd15c3663bf5b95f6c98a47431f8d35b36e409e7cdcaf51953
-
Filesize
272B
MD5074bfadf975b08f8f42254705457e539
SHA1e990d6665340761cc2ce187026d0244eec3743d3
SHA25654d6dded4183cf21d6af61ce6d0eef714328e4576306da6752fe611e299e4c06
SHA512dfcbfa99d37983af0bdb04137acfd832d8d01ed9d37465e5f5eb3300a18f98c1a0614b8bf3fa3377d78f0bf807f7c06222667555a4f2e81fbb346e23b100f921
-
Filesize
272B
MD5e5bfb0a1564cf005ecbd48380532e44d
SHA1bc3065449bde348c35539d3a67d5d8e6133032bc
SHA256b9d0e0c0511533e6c5e92a8cf73e8842f488a92d2293c660ed3500ef80c914e7
SHA5127c11f79c7315b0377fea3dd4fb813d8b4e3ac31fc964b4f6573b7942872a72f0d0924cd81580894868b73ebba67a4ef9aeda66bcfe0e2cdb8a2c1d4a28908e5e
-
Filesize
1.2MB
MD539f55e065eeecc60d37c3f93aa4175c5
SHA119e40a7b1bb2adee34728546155de32d64d6325e
SHA256337e075d61d1803651f58c3c963555799aab529fb277c8ba29c300619519a409
SHA512dec20495c3a4f5f43304a968dc3a4bc50886f7229a92b8be7eec20185c4391c6d49e828caf7aa63e473a75db1fa21f4e82b62b3f12ce097b5dc3e79babdfa181
-
Filesize
3KB
MD5c0f2a4dab90aaae7295c5323c26a1e47
SHA1e0820b43ed73050d46ed7a1c4dfc71756edd660a
SHA25659981715bdbe85e9074507d2a2ebbd87d326faa31f3757f0fe3c438c794cda15
SHA512fb94b29e7366cd65df59f4395e98c0138ffe08fb3c8ffa8fa4a33dac336c05859ff14b5c2a36f79a022b58876701b6f47a472b115a3c3c3bbfdf2069ff696e7b
-
Filesize
272B
MD5a88207508f89c5e55f4d6774f848e886
SHA11f54db4af654e46d8646a9b3aceb82344ae77ef4
SHA256beac011a601bca0d99a0df4b89e3df2dbab9cc1d93e6c864d3effb4a61d5996a
SHA5129656dd7e63f2baf887d56b226366220ea8decb1cd2da14d7672b7c0e4752e79336e5984d95ee0d11e88092eb7c3ccd236c70e0cb0c0fdbff2279e0b856365791
-
Filesize
272B
MD5cf0af6aad9bb80d5d309b5df6b55e252
SHA1c9e5707d0be2399fe35d2c33e769c476e31a55aa
SHA2562815e5eaea2d7b3e9ddbe9af7d7fac98e94a546351bd36971c257f8619e20994
SHA512e5a43e9cad1a61da33cff7c950d5c37f56f190f0d9a643f24503a78b578752464a81b49b34e6d86ba65094525f31136d2d069ba807b6740b619026c03fbebf63