Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26/03/2025, 15:03
Behavioral task
behavioral1
Sample
fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe
-
Size
716KB
-
MD5
93174c157674649159da1f69d0d8b4f5
-
SHA1
7260ddac1ead316bdbe3bfa66d9605ffcb1d589e
-
SHA256
fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3
-
SHA512
5b76bcb47d8e81fce2b1a3ed3550860e1747c1fbb095b82162c71cf9f038d45fef7a915bc933e126305693d14f90de0357cf3da72009f849bcc3caa3667f4f2e
-
SSDEEP
12288:iXgvmzFHi0mo5aH0qMzd5807FQPJQPDHvd:iXgvOHi0mGaH0qSdPFC4V
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe -
UAC bypass 3 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe -
Adds policy Run key to start application 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeteptanwz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cssokzrpjxkysaufjvllh.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeteptanwz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pczslxmhyjtevarzaj.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeteptanwz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncbwrfwtmzlyryrbeped.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyqeszjzlrwco = "pczslxmhyjtevarzaj.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyqeszjzlrwco = "zkfwnxkdsbjshkzf.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeteptanwz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncbwrfwtmzlyryrbeped.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeteptanwz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cssokzrpjxkysaufjvllh.exe" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeteptanwz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkfwnxkdsbjshkzf.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeteptanwz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cssokzrpjxkysaufjvllh.exe" nozgnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyqeszjzlrwco = "zkfwnxkdsbjshkzf.exe" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyqeszjzlrwco = "gsogyjxrhrakaeubb.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeteptanwz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aomgandzrdoasyqzblz.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyqeszjzlrwco = "aomgandzrdoasyqzblz.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyqeszjzlrwco = "pczslxmhyjtevarzaj.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyqeszjzlrwco = "cssokzrpjxkysaufjvllh.exe" nozgnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run nozgnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyqeszjzlrwco = "cssokzrpjxkysaufjvllh.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeteptanwz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkfwnxkdsbjshkzf.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyqeszjzlrwco = "ncbwrfwtmzlyryrbeped.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeteptanwz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aomgandzrdoasyqzblz.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyqeszjzlrwco = "aomgandzrdoasyqzblz.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeteptanwz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pczslxmhyjtevarzaj.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyqeszjzlrwco = "zkfwnxkdsbjshkzf.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zeteptanwz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsogyjxrhrakaeubb.exe" nozgnn.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nozgnn.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nozgnn.exe -
Executes dropped EXE 2 IoCs
pid Process 2096 nozgnn.exe 1800 nozgnn.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend nozgnn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc nozgnn.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power nozgnn.exe -
Loads dropped DLL 4 IoCs
pid Process 2108 fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe 2108 fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe 2108 fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe 2108 fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\uaqcotbpzdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pczslxmhyjtevarzaj.exe" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ueyoenzrfnucqsg = "gsogyjxrhrakaeubb.exe ." nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ueyoenzrfnucqsg = "cssokzrpjxkysaufjvllh.exe ." nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\uaqcotbpzdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cssokzrpjxkysaufjvllh.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rypcpvetejns = "aomgandzrdoasyqzblz.exe ." nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gsogyjxrhrakaeubb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pczslxmhyjtevarzaj.exe" nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ratixfqhubhobc = "gsogyjxrhrakaeubb.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uaqcotbpzdg = "gsogyjxrhrakaeubb.exe" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gsogyjxrhrakaeubb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkfwnxkdsbjshkzf.exe" nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\uaqcotbpzdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsogyjxrhrakaeubb.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gsogyjxrhrakaeubb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsogyjxrhrakaeubb.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gsogyjxrhrakaeubb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkfwnxkdsbjshkzf.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uaqcotbpzdg = "cssokzrpjxkysaufjvllh.exe" nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ueyoenzrfnucqsg = "ncbwrfwtmzlyryrbeped.exe ." nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ratixfqhubhobc = "aomgandzrdoasyqzblz.exe" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkfwnxkdsbjshkzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pczslxmhyjtevarzaj.exe ." fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkfwnxkdsbjshkzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkfwnxkdsbjshkzf.exe ." nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rypcpvetejns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsogyjxrhrakaeubb.exe ." nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ratixfqhubhobc = "ncbwrfwtmzlyryrbeped.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkfwnxkdsbjshkzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsogyjxrhrakaeubb.exe ." nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uaqcotbpzdg = "pczslxmhyjtevarzaj.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gsogyjxrhrakaeubb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncbwrfwtmzlyryrbeped.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rypcpvetejns = "pczslxmhyjtevarzaj.exe ." nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ratixfqhubhobc = "cssokzrpjxkysaufjvllh.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rypcpvetejns = "ncbwrfwtmzlyryrbeped.exe ." nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkfwnxkdsbjshkzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncbwrfwtmzlyryrbeped.exe ." nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rypcpvetejns = "zkfwnxkdsbjshkzf.exe ." nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ratixfqhubhobc = "aomgandzrdoasyqzblz.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gsogyjxrhrakaeubb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cssokzrpjxkysaufjvllh.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uaqcotbpzdg = "cssokzrpjxkysaufjvllh.exe" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkfwnxkdsbjshkzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aomgandzrdoasyqzblz.exe ." nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uaqcotbpzdg = "aomgandzrdoasyqzblz.exe" nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\uaqcotbpzdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkfwnxkdsbjshkzf.exe" nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ueyoenzrfnucqsg = "aomgandzrdoasyqzblz.exe ." nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gsogyjxrhrakaeubb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aomgandzrdoasyqzblz.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uaqcotbpzdg = "gsogyjxrhrakaeubb.exe" nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rypcpvetejns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkfwnxkdsbjshkzf.exe ." nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rypcpvetejns = "zkfwnxkdsbjshkzf.exe ." nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gsogyjxrhrakaeubb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncbwrfwtmzlyryrbeped.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uaqcotbpzdg = "aomgandzrdoasyqzblz.exe" nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ratixfqhubhobc = "aomgandzrdoasyqzblz.exe" nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ueyoenzrfnucqsg = "zkfwnxkdsbjshkzf.exe ." nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\uaqcotbpzdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncbwrfwtmzlyryrbeped.exe" nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ueyoenzrfnucqsg = "cssokzrpjxkysaufjvllh.exe ." fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gsogyjxrhrakaeubb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pczslxmhyjtevarzaj.exe" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uaqcotbpzdg = "gsogyjxrhrakaeubb.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rypcpvetejns = "pczslxmhyjtevarzaj.exe ." nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rypcpvetejns = "cssokzrpjxkysaufjvllh.exe ." nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkfwnxkdsbjshkzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pczslxmhyjtevarzaj.exe ." nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkfwnxkdsbjshkzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncbwrfwtmzlyryrbeped.exe ." nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rypcpvetejns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aomgandzrdoasyqzblz.exe ." nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rypcpvetejns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cssokzrpjxkysaufjvllh.exe ." fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ratixfqhubhobc = "cssokzrpjxkysaufjvllh.exe" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\uaqcotbpzdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aomgandzrdoasyqzblz.exe" nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ratixfqhubhobc = "ncbwrfwtmzlyryrbeped.exe" nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ueyoenzrfnucqsg = "pczslxmhyjtevarzaj.exe ." nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkfwnxkdsbjshkzf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cssokzrpjxkysaufjvllh.exe ." nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\uaqcotbpzdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsogyjxrhrakaeubb.exe" nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rypcpvetejns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncbwrfwtmzlyryrbeped.exe ." nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ratixfqhubhobc = "zkfwnxkdsbjshkzf.exe" nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rypcpvetejns = "aomgandzrdoasyqzblz.exe ." nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\uaqcotbpzdg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cssokzrpjxkysaufjvllh.exe" nozgnn.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rypcpvetejns = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pczslxmhyjtevarzaj.exe ." nozgnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rypcpvetejns = "ncbwrfwtmzlyryrbeped.exe ." fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nozgnn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nozgnn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nozgnn.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" nozgnn.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 whatismyip.everdot.org 7 www.showmyipaddress.com 12 whatismyipaddress.com 18 www.whatismyip.ca -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\ccmsyxzhljgeiaeznjjtzfegosq.lph nozgnn.exe File opened for modification C:\Windows\SysWOW64\zkfwnxkdsbjshkzfelwrizjwpenvetwlrqxidu.vib nozgnn.exe File created C:\Windows\SysWOW64\zkfwnxkdsbjshkzfelwrizjwpenvetwlrqxidu.vib nozgnn.exe File opened for modification C:\Windows\SysWOW64\ccmsyxzhljgeiaeznjjtzfegosq.lph nozgnn.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\ccmsyxzhljgeiaeznjjtzfegosq.lph nozgnn.exe File opened for modification C:\Program Files (x86)\zkfwnxkdsbjshkzfelwrizjwpenvetwlrqxidu.vib nozgnn.exe File created C:\Program Files (x86)\zkfwnxkdsbjshkzfelwrizjwpenvetwlrqxidu.vib nozgnn.exe File opened for modification C:\Program Files (x86)\ccmsyxzhljgeiaeznjjtzfegosq.lph nozgnn.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\zkfwnxkdsbjshkzfelwrizjwpenvetwlrqxidu.vib nozgnn.exe File created C:\Windows\zkfwnxkdsbjshkzfelwrizjwpenvetwlrqxidu.vib nozgnn.exe File opened for modification C:\Windows\ccmsyxzhljgeiaeznjjtzfegosq.lph nozgnn.exe File created C:\Windows\ccmsyxzhljgeiaeznjjtzfegosq.lph nozgnn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nozgnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nozgnn.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe 2096 nozgnn.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2096 nozgnn.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2096 2108 fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe 30 PID 2108 wrote to memory of 2096 2108 fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe 30 PID 2108 wrote to memory of 2096 2108 fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe 30 PID 2108 wrote to memory of 2096 2108 fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe 30 PID 2108 wrote to memory of 1800 2108 fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe 31 PID 2108 wrote to memory of 1800 2108 fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe 31 PID 2108 wrote to memory of 1800 2108 fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe 31 PID 2108 wrote to memory of 1800 2108 fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe 31 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" nozgnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" nozgnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System nozgnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" nozgnn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe"C:\Users\Admin\AppData\Local\Temp\fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\nozgnn.exe"C:\Users\Admin\AppData\Local\Temp\nozgnn.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2096
-
-
C:\Users\Admin\AppData\Local\Temp\nozgnn.exe"C:\Users\Admin\AppData\Local\Temp\nozgnn.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- System policy modification
PID:1800
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5144a6e91fd2dbe1cc87ee4d282f045ed
SHA1a73bb6cb567727be93aec35046931c09041d400a
SHA256046554d42c921976911f6cb4e4e4834cd87ef27d0b6a4c68e85b11b3e6794de5
SHA512a8b15060e4dc3e0b8729318f27892ebe61cf6a98d515082f14f06bd34695944966771b600f717e7d956dcda5b1f984a7497a8f6621c4a4676e8863d43b687e2f
-
Filesize
280B
MD531e37c4f9ee2430e753dbe179b805808
SHA1aa6a95efbd844a9b1a6f43b9c8ce7bc04aeb4fad
SHA256f1e72c8a8cb7d67983ea2351ad295798814757b058b1b611d9037f14648ca393
SHA5126636d91ae7964802f8426025418975b54a401b67b8a6f4fad16d0c7e2aecbff2ddaf521dbbdb3113cb41ad3be35bcdd64f4450a87cb9066d6b3736cb74dff342
-
Filesize
280B
MD581ce30b0ddbd906133bc808d39c62415
SHA13d60e713e0dc7ac38f2ba8aff14318c1bcd1f86e
SHA256fe7ceaaf5733e98a094acedb5242399941a5c4b2071456c69201b4debb19cc2f
SHA512666a4a1be6bb37f4d11ea3b9863ba44c5f5dc50914d513c8f010bda55fe80367541f357426da143608d7088513e6816e9c67ccb93f6d2c15baf9c065571126da
-
Filesize
280B
MD52a25eff60d48eb54c63dde537935ced0
SHA1daeeafd6c340fae456010fa462583da39a6e9dd4
SHA2569a96777a6505aa429ad3a1a2ec4d2ec37dd5070ec06b961f9c6b7f4cc139f989
SHA51272fef24a02065207e25f22f7f80c752a3bcc7751c03e26e749e30abcb05ac3684bcb7cac149314fe74f6e90b2f0422e39b87c332149766db7ae38978bb4ce51f
-
Filesize
280B
MD5a90019d4e885745d1ec0184be3a494c5
SHA112f25f00248aad8219a854187cb149cce8ff2532
SHA256442a172c764f8f45e8ff4e00230d3c3628b86a6b5cf4043ffda9588695c6070f
SHA512747a5331aa79c4d60fc37deace4cc0a30e48707e4631f1914b7a53d444cc59ef85bd40e9f12f2b157feb22283bfdfe399b8393065b90b945f6c5a0f967a8bd58
-
Filesize
280B
MD5982002201e1bb4f315e955517df421fa
SHA1efc9a4b6c2cbafed3467a83b181c6301ddca9d7f
SHA256d4d269cbf3d4671350dc42c63d53a9d1d4dc5d789864e5084a39fa6818d7fa35
SHA5122b79bcd72328a11d1921636146c012c9e06446ddd5ed3546d760e7cf485870554f484df4096e7ab986cca9bd186868e2fd4adda1feebd43b05616943f05fc6a2
-
Filesize
280B
MD56775376f361c0e3d6394328476cd1be1
SHA148af9f78768a78477b8a5785347e24f6b97c1c5e
SHA256f9c48b42a77b8cfa2bb111a9789deffaaaff1d36e209dbd271833b50c150bf47
SHA512ce2c2849f5f9f81e574871bc98f847a46a95e40afceaf5bd12c72230ff80e34fcb241463509a50209c8e482102d2eccca094ee7bd4075bd0475c2fa7962baec2
-
Filesize
280B
MD58700f18a70c26521f723d6f424cc1025
SHA1114580929d48b8b8b9bc482fa70fe818ebec8b8c
SHA256a76d3afc190b1eafd4d1c3ee78f74731dd50b38ec0523b6cf0b67b5d22aa89a0
SHA512c35d0d34d526d18ae673b50275f437fb907249dd586a3b58517fb07812a3ff9c9fef09ada7e8155d4a4b7babd6db653f8c8a7c480d65c6f24941ca172e9f22ad
-
Filesize
4KB
MD5917d63b06e5875ce8c14814749092ab4
SHA13b7ba1a7b120b3bea124ea873595ef7ed33f969f
SHA2561dfc8bce0d65b6ffa6428a60bcc174ff0eb8d8dc94f8e91ab5baa71bfd23f584
SHA512db87204ac6aa33d95a4738313cf1293a6bf273c9acc7ce6faa8ed0e375457d883d5762ae11e8fbb40876ec5587d73facd8cec104b3d6f503c59a6ca05f647326
-
Filesize
1.3MB
MD502729737a07a0b160839c0aea11aca20
SHA1f323ac7eea9555e66bdf2fd94e603b1f0f629932
SHA256b3af9054f564a3d74c0fc3e9f26cb2385b14b1eec19de85857a8c550a6ec627d
SHA512015cc567a6db2473bed86e3e89bc26db0ae73dd5f9dd1e442c6492475cb32cf516ad90a689f0dc9b92c2a6ea82ac1a3eef619dc5a745ae37e853fcdb9c576eef