Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2025, 15:03
Behavioral task
behavioral1
Sample
fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe
-
Size
716KB
-
MD5
93174c157674649159da1f69d0d8b4f5
-
SHA1
7260ddac1ead316bdbe3bfa66d9605ffcb1d589e
-
SHA256
fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3
-
SHA512
5b76bcb47d8e81fce2b1a3ed3550860e1747c1fbb095b82162c71cf9f038d45fef7a915bc933e126305693d14f90de0357cf3da72009f849bcc3caa3667f4f2e
-
SSDEEP
12288:iXgvmzFHi0mo5aH0qMzd5807FQPJQPDHvd:iXgvOHi0mGaH0qSdPFC4V
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" mqzfmt.exe -
UAC bypass 3 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe -
Adds policy Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fmyhrbbnv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mebvqlwtmhhbovwyvhia.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fmyhrbbnv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\busnjfrpjfgbpxzcanpig.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fmyhrbbnv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuofxpxrhzwnxbzys.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qapbobeterjv = "ymfvmdkdsjfvehec.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fmyhrbbnv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mebvqlwtmhhbovwyvhia.exe" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qapbobeterjv = "fuofxpxrhzwnxbzys.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qapbobeterjv = "mebvqlwtmhhbovwyvhia.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qapbobeterjv = "oezrkdmhyrphsxwwrb.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qapbobeterjv = "oezrkdmhyrphsxwwrb.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fmyhrbbnv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mebvqlwtmhhbovwyvhia.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qapbobeterjv = "zqmfztdzrlkdpvvwsdd.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fmyhrbbnv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqmfztdzrlkdpvvwsdd.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qapbobeterjv = "mebvqlwtmhhbovwyvhia.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fmyhrbbnv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymfvmdkdsjfvehec.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qapbobeterjv = "ymfvmdkdsjfvehec.exe" mqzfmt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qapbobeterjv = "zqmfztdzrlkdpvvwsdd.exe" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qapbobeterjv = "oezrkdmhyrphsxwwrb.exe" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qapbobeterjv = "zqmfztdzrlkdpvvwsdd.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fmyhrbbnv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oezrkdmhyrphsxwwrb.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qapbobeterjv = "busnjfrpjfgbpxzcanpig.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fmyhrbbnv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oezrkdmhyrphsxwwrb.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fmyhrbbnv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymfvmdkdsjfvehec.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qapbobeterjv = "fuofxpxrhzwnxbzys.exe" mqzfmt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fmyhrbbnv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqmfztdzrlkdpvvwsdd.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fmyhrbbnv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuofxpxrhzwnxbzys.exe" mqzfmt.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mqzfmt.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mqzfmt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe -
Executes dropped EXE 2 IoCs
pid Process 1808 mqzfmt.exe 2864 mqzfmt.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys mqzfmt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc mqzfmt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power mqzfmt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys mqzfmt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc mqzfmt.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager mqzfmt.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paqdrfjzlzsfl = "fuofxpxrhzwnxbzys.exe" mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qcthwlqhujdryz = "oezrkdmhyrphsxwwrb.exe ." mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qcthwlqhujdryz = "ymfvmdkdsjfvehec.exe ." fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paqdrfjzlzsfl = "mebvqlwtmhhbovwyvhia.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ygtdozanwh = "mebvqlwtmhhbovwyvhia.exe" mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygtdozanwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mebvqlwtmhhbovwyvhia.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgyndtzrfvqfnpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuofxpxrhzwnxbzys.exe ." mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ymfvmdkdsjfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\busnjfrpjfgbpxzcanpig.exe" mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qcthwlqhujdryz = "ymfvmdkdsjfvehec.exe ." mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygtdozanwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqmfztdzrlkdpvvwsdd.exe" mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygtdozanwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqmfztdzrlkdpvvwsdd.exe" mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paqdrfjzlzsfl = "busnjfrpjfgbpxzcanpig.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgyndtzrfvqfnpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mebvqlwtmhhbovwyvhia.exe ." mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ymfvmdkdsjfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymfvmdkdsjfvehec.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ymfvmdkdsjfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqmfztdzrlkdpvvwsdd.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ygtdozanwh = "fuofxpxrhzwnxbzys.exe" mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paqdrfjzlzsfl = "busnjfrpjfgbpxzcanpig.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcqbnzbpzlc = "zqmfztdzrlkdpvvwsdd.exe ." fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paqdrfjzlzsfl = "oezrkdmhyrphsxwwrb.exe" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcqbnzbpzlc = "fuofxpxrhzwnxbzys.exe ." mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcqbnzbpzlc = "ymfvmdkdsjfvehec.exe ." mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ygtdozanwh = "oezrkdmhyrphsxwwrb.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcqbnzbpzlc = "busnjfrpjfgbpxzcanpig.exe ." mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ymfvmdkdsjfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oezrkdmhyrphsxwwrb.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ygtdozanwh = "fuofxpxrhzwnxbzys.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcqbnzbpzlc = "mebvqlwtmhhbovwyvhia.exe ." mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paqdrfjzlzsfl = "mebvqlwtmhhbovwyvhia.exe" mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qcthwlqhujdryz = "mebvqlwtmhhbovwyvhia.exe ." mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qcthwlqhujdryz = "zqmfztdzrlkdpvvwsdd.exe ." mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ygtdozanwh = "zqmfztdzrlkdpvvwsdd.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgyndtzrfvqfnpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\busnjfrpjfgbpxzcanpig.exe ." mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcqbnzbpzlc = "fuofxpxrhzwnxbzys.exe ." mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygtdozanwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuofxpxrhzwnxbzys.exe" mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qcthwlqhujdryz = "fuofxpxrhzwnxbzys.exe ." mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcqbnzbpzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqmfztdzrlkdpvvwsdd.exe ." mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ymfvmdkdsjfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuofxpxrhzwnxbzys.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ygtdozanwh = "zqmfztdzrlkdpvvwsdd.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgyndtzrfvqfnpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oezrkdmhyrphsxwwrb.exe ." mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcqbnzbpzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\busnjfrpjfgbpxzcanpig.exe ." mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygtdozanwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oezrkdmhyrphsxwwrb.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ymfvmdkdsjfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuofxpxrhzwnxbzys.exe" mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcqbnzbpzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuofxpxrhzwnxbzys.exe ." mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qcthwlqhujdryz = "ymfvmdkdsjfvehec.exe ." mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgyndtzrfvqfnpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mebvqlwtmhhbovwyvhia.exe ." mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygtdozanwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymfvmdkdsjfvehec.exe" mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcqbnzbpzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oezrkdmhyrphsxwwrb.exe ." mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygtdozanwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oezrkdmhyrphsxwwrb.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ygtdozanwh = "busnjfrpjfgbpxzcanpig.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgyndtzrfvqfnpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuofxpxrhzwnxbzys.exe ." mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ygtdozanwh = "mebvqlwtmhhbovwyvhia.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcqbnzbpzlc = "oezrkdmhyrphsxwwrb.exe ." mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ymfvmdkdsjfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqmfztdzrlkdpvvwsdd.exe" mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygtdozanwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymfvmdkdsjfvehec.exe" mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcqbnzbpzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mebvqlwtmhhbovwyvhia.exe ." mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcqbnzbpzlc = "mebvqlwtmhhbovwyvhia.exe ." mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgyndtzrfvqfnpl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oezrkdmhyrphsxwwrb.exe ." mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ymfvmdkdsjfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oezrkdmhyrphsxwwrb.exe" mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcqbnzbpzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuofxpxrhzwnxbzys.exe ." mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tcqbnzbpzlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuofxpxrhzwnxbzys.exe ." fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcqbnzbpzlc = "mebvqlwtmhhbovwyvhia.exe ." fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygtdozanwh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oezrkdmhyrphsxwwrb.exe" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\paqdrfjzlzsfl = "fuofxpxrhzwnxbzys.exe" mqzfmt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ymfvmdkdsjfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\busnjfrpjfgbpxzcanpig.exe" mqzfmt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qcthwlqhujdryz = "busnjfrpjfgbpxzcanpig.exe ." mqzfmt.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mqzfmt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mqzfmt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mqzfmt.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" mqzfmt.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 whatismyipaddress.com 31 www.showmyipaddress.com 34 www.whatismyip.ca 40 whatismyip.everdot.org 45 www.whatismyip.ca 46 whatismyip.everdot.org -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\subfkpkruzjnkbmyfbmovzejel.tdh mqzfmt.exe File created C:\Windows\SysWOW64\subfkpkruzjnkbmyfbmovzejel.tdh mqzfmt.exe File opened for modification C:\Windows\SysWOW64\tgyndtzrfvqfnpliahdqixndjbpfapxzvskrn.shx mqzfmt.exe File created C:\Windows\SysWOW64\tgyndtzrfvqfnpliahdqixndjbpfapxzvskrn.shx mqzfmt.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\subfkpkruzjnkbmyfbmovzejel.tdh mqzfmt.exe File created C:\Program Files (x86)\subfkpkruzjnkbmyfbmovzejel.tdh mqzfmt.exe File opened for modification C:\Program Files (x86)\tgyndtzrfvqfnpliahdqixndjbpfapxzvskrn.shx mqzfmt.exe File created C:\Program Files (x86)\tgyndtzrfvqfnpliahdqixndjbpfapxzvskrn.shx mqzfmt.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\tgyndtzrfvqfnpliahdqixndjbpfapxzvskrn.shx mqzfmt.exe File opened for modification C:\Windows\subfkpkruzjnkbmyfbmovzejel.tdh mqzfmt.exe File created C:\Windows\subfkpkruzjnkbmyfbmovzejel.tdh mqzfmt.exe File opened for modification C:\Windows\tgyndtzrfvqfnpliahdqixndjbpfapxzvskrn.shx mqzfmt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mqzfmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mqzfmt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings mqzfmt.exe Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings mqzfmt.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 1808 mqzfmt.exe 1808 mqzfmt.exe 1808 mqzfmt.exe 1808 mqzfmt.exe 1808 mqzfmt.exe 1808 mqzfmt.exe 1808 mqzfmt.exe 1808 mqzfmt.exe 1808 mqzfmt.exe 1808 mqzfmt.exe 1808 mqzfmt.exe 1808 mqzfmt.exe 1808 mqzfmt.exe 1808 mqzfmt.exe 1808 mqzfmt.exe 1808 mqzfmt.exe 1808 mqzfmt.exe 1808 mqzfmt.exe 1808 mqzfmt.exe 1808 mqzfmt.exe 1808 mqzfmt.exe 1808 mqzfmt.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2864 mqzfmt.exe 1808 mqzfmt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1808 mqzfmt.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2300 wrote to memory of 1808 2300 fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe 92 PID 2300 wrote to memory of 1808 2300 fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe 92 PID 2300 wrote to memory of 1808 2300 fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe 92 PID 2300 wrote to memory of 2864 2300 fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe 93 PID 2300 wrote to memory of 2864 2300 fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe 93 PID 2300 wrote to memory of 2864 2300 fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe 93 -
System policy modification 1 TTPs 36 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" mqzfmt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mqzfmt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" mqzfmt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer mqzfmt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer mqzfmt.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" mqzfmt.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" mqzfmt.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe"C:\Users\Admin\AppData\Local\Temp\fcb7c6b00fe2a8515dfd949b11faab8a6e6469284a2eae1bf58f3e5a2cb6bbf3.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\mqzfmt.exe"C:\Users\Admin\AppData\Local\Temp\mqzfmt.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1808
-
-
C:\Users\Admin\AppData\Local\Temp\mqzfmt.exe"C:\Users\Admin\AppData\Local\Temp\mqzfmt.exe" "-"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- System policy modification
PID:2864
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2040
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5a393d2f54664b3b438b6dc8cd3e60a61
SHA13785f2fd2bed997c555e94bc951646938894aaf1
SHA256b1b55a72a30990788bfa5f9cced18861560b3752c45c224f60a53c99bd90353e
SHA512cbf7e71d9d43aa6ab246dad25faf4ba59cea51fef8e40b24f18806e46ee8198577d2f58d2eaa9a3c19bd5dc808ca69074a78e8dca4ebc4149ec343671b102383
-
Filesize
280B
MD5aa698e8e3f6f58b39486ff741af1e042
SHA1efcffe839841e04ea493a6e34eb2c5c07f387481
SHA2564e85e8e5a9651ee770f32c19febe8c05a075ded6ed92873061c8fb836298f0b6
SHA5127430728e093b8f718e497e1c4a04ac6a89ca03635c46561f63370cddd550805ede14799eee89c7d6f1654a0ec29e3736b900be4481aea1063a82aae198e714ce
-
Filesize
280B
MD5a783b92aa0830d864a2670d57d36852f
SHA18d1e06d11e526499c7f9a107992b802225f170cc
SHA2569a1254128f7ba89e3e73e8f29134ea4d7f4f445e75599d659a2d48176a035361
SHA5128346af0f2510384f1c4d4604198d0a7f89374d48cc956b0ca1c378c36d352b262be4e24f275d037424a071aeca7277979be4a583fd0acd4b2d1f5f8567e02c62
-
Filesize
280B
MD55bb852ca386faf9e238e33540e2b3b66
SHA1c6b0ca5fe224ef000d928ca0e5174994a381d45e
SHA256c26060e54e8223c8366231ed099904a840174ae221ad8c3f21032d4a428b89c5
SHA51239f07652c0800b975ff2924834c16f816c80c808b76aaee16ab8a8f0e31cfdf5b246d353cbafdeb66cb1417829e9ef4914315c0d628ea702719c74fa3b5c5152
-
Filesize
280B
MD5828211c9cad7adaaf58c1236452ba837
SHA1cf2bff5986d323588729b86ae9a291692c73ec5d
SHA25677c59c1ac42637cf4e0554dcf30d52a2bbdb1b4631a088ac093f33a0328be05a
SHA512b336a0293bb0023614b07388814ccca88d65baf0626382f597a71e5d21dd35e6e129034518cc8ba10d3b5d478981ccde2b1f44835912fa79031870d513d19d0c
-
Filesize
280B
MD5aa5ea08516e12d21821647b3b69dfe45
SHA1438ca54d8de8cf1b0947bd8ef1e168c72cd6e2a6
SHA25627ba62c0258e744b53b55f1de725b20a684f0042d76c2722f061e8c5e263651d
SHA512dbca5ace5d7655e4d40368f98ae03b07154ca92a9e1b8fb2aa4de533dfe7a519addb88c591e51c0df8a3f9a77c72c0273af15983d939ec8d66a22972b11d1806
-
Filesize
280B
MD53a22ed8aa064350daf21d2fed7c93a3b
SHA1fcb49f481a7f0b5ee646ba95ca71e919d91ab53c
SHA256c4f0ceb4b61450532710e544f19b9a5731f3b19ae18567703131d352bf3191bb
SHA512003681ed2c16913aee23c27bd45d0ad0052210857e703f571127b59d9789034617a2cd9d0963960cd7a7949c1e86be8d4b1c52b57617fc6c9db759cbaf122718
-
Filesize
1.3MB
MD57ce11071ce6fa09694f36f3e29e6dd15
SHA12aa437da65aad578e3e45c9742f0502484deec95
SHA256796dce3b10b9012f9a007d9d0532bf3ad760bb31ee0d29b1895480c21ee3cb87
SHA51282959148f5dabcc587d42c5d2d2ed3ce9feaa5f85eb1c1ebc6255e879c79854123305ff8d706f42264282d54b912bec3d86f5051aa0e36c4dba92694eb1285b2
-
Filesize
280B
MD5bed1371217586b03750656f531bf94cc
SHA11638e6bfe58993fdb806593249a5e2f4ce102d05
SHA256aaf3b1a5f2b6e5c4749b238b3b301f69a4d1fa17736b358774c27b246e4e0e22
SHA512c2845c54d392573f82922893aaaac55c6ff01ad774aa28dd8a3f6ee65abed9f1b1fdcae63a6bd4b37f4bb15c9349d70a17a2837ee9d3da93d27430cfd6e971bc
-
Filesize
4KB
MD563bd992fddec3981eae6e2e8f6ec925f
SHA17a83e66fcea3dda603c42743c98570ca0f0e7a36
SHA256e8f847f10ee632e8fc06708683d6c117c7fdecf676032356cb65c184ba880e7b
SHA5125ff66acfac6a5e72da0aca1cca039946d577a28934db728226d358f8a18a8c3a20d5caf44a99ac8d741303c8ae74e039240e70d75065b1e6130b527c31a2d7dd