Analysis
-
max time kernel
5s -
max time network
1s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/03/2025, 17:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
assasin terror.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral2
Sample
assasin terror.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
23 signatures
150 seconds
General
-
Target
assasin terror.exe
-
Size
456KB
-
MD5
b46ee2dfaa9ff0d313f2961dfed817de
-
SHA1
f0cc165c55eb0cefc228ef74546f2af7bf046dd5
-
SHA256
a10701e1ca478e967fe767382a33025aef1183259e0d1aff990f5f9b34335fb6
-
SHA512
8fe28ea982f48e9d79a0c06b9c17ad0a350c594115bc88a65456feae50b261e196bd886d703e7b4cada1588b205d93492502c3632bba898bb5e2909f5ecfc829
-
SSDEEP
12288:HpUJ3r6YkVwJgNnSykgb9cqWnw4q6ZmFhqse:HpUNr6YkVRFkgbeqeo68Fhq/
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cxtzfhhamhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" guxcgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" guxcgm.exe -
Pykspa family
-
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cxtzfhhamhd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cxtzfhhamhd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cxtzfhhamhd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guxcgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guxcgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cxtzfhhamhd.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x00080000000120ff-8.dat family_pykspa behavioral1/files/0x0008000000019228-61.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vikor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqdsgwrhwhllmxip.exe" guxcgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cxtzfhhamhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vikor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iixoewtlcpvxanajqq.exe" guxcgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iydkqylt = "vyqkdyytndmrxndpzcjme.exe" cxtzfhhamhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vikor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymcrievlxcdfrdlr.exe" cxtzfhhamhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run guxcgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iydkqylt = "iixoewtlcpvxanajqq.exe" guxcgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run guxcgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iydkqylt = "vyqkdyytndmrxndpzcjme.exe" guxcgm.exe -
Disables RegEdit via registry modification 5 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cxtzfhhamhd.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" guxcgm.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" guxcgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" guxcgm.exe Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cxtzfhhamhd.exe -
Executes dropped EXE 3 IoCs
pid Process 1700 cxtzfhhamhd.exe 2860 guxcgm.exe 2616 guxcgm.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend guxcgm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc guxcgm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power guxcgm.exe -
Loads dropped DLL 6 IoCs
pid Process 1260 assasin terror.exe 1260 assasin terror.exe 1700 cxtzfhhamhd.exe 1700 cxtzfhhamhd.exe 1700 cxtzfhhamhd.exe 1700 cxtzfhhamhd.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\timsxeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tukctmkdvjqtxlzjrsx.exe ." guxcgm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\skraishraf = "gizskedxqfnrwlaluwce.exe ." cxtzfhhamhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\guxcgm = "zymcrievlxcdfrdlr.exe" guxcgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\timsxeq = "vyqkdyytndmrxndpzcjme.exe ." guxcgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngoyhsitdji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vyqkdyytndmrxndpzcjme.exe ." guxcgm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\guxcgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vyqkdyytndmrxndpzcjme.exe" guxcgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\timsxeq = "sqdsgwrhwhllmxip.exe ." cxtzfhhamhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngoyhsitdji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gizskedxqfnrwlaluwce.exe ." cxtzfhhamhd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\timsxeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tukctmkdvjqtxlzjrsx.exe ." cxtzfhhamhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\guxcgm = "zymcrievlxcdfrdlr.exe" guxcgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\timsxeq = "tukctmkdvjqtxlzjrsx.exe ." guxcgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kenyiulxippl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vyqkdyytndmrxndpzcjme.exe" guxcgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kenyiulxippl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqdsgwrhwhllmxip.exe" guxcgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ngoyhsitdji = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymcrievlxcdfrdlr.exe ." guxcgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\guxcgm = "tukctmkdvjqtxlzjrsx.exe" cxtzfhhamhd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\zqweluirz = "iixoewtlcpvxanajqq.exe" cxtzfhhamhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kenyiulxippl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gizskedxqfnrwlaluwce.exe" cxtzfhhamhd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\skraishraf = "iixoewtlcpvxanajqq.exe ." guxcgm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\skraishraf = "iixoewtlcpvxanajqq.exe ." guxcgm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\timsxeq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zymcrievlxcdfrdlr.exe ." guxcgm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\guxcgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sqdsgwrhwhllmxip.exe" cxtzfhhamhd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\zqweluirz = "iixoewtlcpvxanajqq.exe" guxcgm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\zqweluirz = "vyqkdyytndmrxndpzcjme.exe" guxcgm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\guxcgm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iixoewtlcpvxanajqq.exe" guxcgm.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA guxcgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cxtzfhhamhd.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cxtzfhhamhd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guxcgm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA guxcgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guxcgm.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" cxtzfhhamhd.exe -
Drops file in System32 directory 25 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mqjeyuvrmdntarivgkswpk.exe guxcgm.exe File opened for modification C:\Windows\SysWOW64\webayyddcxlvgbwnckweba.ydd guxcgm.exe File created C:\Windows\SysWOW64\ngoyhsitdjidzflnngdweoxiyjtzytpvb.dwt guxcgm.exe File opened for modification C:\Windows\SysWOW64\zymcrievlxcdfrdlr.exe cxtzfhhamhd.exe File opened for modification C:\Windows\SysWOW64\iixoewtlcpvxanajqq.exe cxtzfhhamhd.exe File opened for modification C:\Windows\SysWOW64\tukctmkdvjqtxlzjrsx.exe cxtzfhhamhd.exe File opened for modification C:\Windows\SysWOW64\tukctmkdvjqtxlzjrsx.exe guxcgm.exe File opened for modification C:\Windows\SysWOW64\mqjeyuvrmdntarivgkswpk.exe guxcgm.exe File opened for modification C:\Windows\SysWOW64\iixoewtlcpvxanajqq.exe guxcgm.exe File opened for modification C:\Windows\SysWOW64\vyqkdyytndmrxndpzcjme.exe guxcgm.exe File opened for modification C:\Windows\SysWOW64\sqdsgwrhwhllmxip.exe cxtzfhhamhd.exe File opened for modification C:\Windows\SysWOW64\gizskedxqfnrwlaluwce.exe cxtzfhhamhd.exe File opened for modification C:\Windows\SysWOW64\sqdsgwrhwhllmxip.exe guxcgm.exe File opened for modification C:\Windows\SysWOW64\iixoewtlcpvxanajqq.exe guxcgm.exe File opened for modification C:\Windows\SysWOW64\vyqkdyytndmrxndpzcjme.exe guxcgm.exe File opened for modification C:\Windows\SysWOW64\sqdsgwrhwhllmxip.exe guxcgm.exe File created C:\Windows\SysWOW64\webayyddcxlvgbwnckweba.ydd guxcgm.exe File opened for modification C:\Windows\SysWOW64\ngoyhsitdjidzflnngdweoxiyjtzytpvb.dwt guxcgm.exe File opened for modification C:\Windows\SysWOW64\zymcrievlxcdfrdlr.exe guxcgm.exe File opened for modification C:\Windows\SysWOW64\gizskedxqfnrwlaluwce.exe guxcgm.exe File opened for modification C:\Windows\SysWOW64\zymcrievlxcdfrdlr.exe guxcgm.exe File opened for modification C:\Windows\SysWOW64\gizskedxqfnrwlaluwce.exe guxcgm.exe File opened for modification C:\Windows\SysWOW64\vyqkdyytndmrxndpzcjme.exe cxtzfhhamhd.exe File opened for modification C:\Windows\SysWOW64\mqjeyuvrmdntarivgkswpk.exe cxtzfhhamhd.exe File opened for modification C:\Windows\SysWOW64\tukctmkdvjqtxlzjrsx.exe guxcgm.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\webayyddcxlvgbwnckweba.ydd guxcgm.exe File created C:\Program Files (x86)\webayyddcxlvgbwnckweba.ydd guxcgm.exe File opened for modification C:\Program Files (x86)\ngoyhsitdjidzflnngdweoxiyjtzytpvb.dwt guxcgm.exe File created C:\Program Files (x86)\ngoyhsitdjidzflnngdweoxiyjtzytpvb.dwt guxcgm.exe -
Drops file in Windows directory 25 IoCs
description ioc Process File opened for modification C:\Windows\gizskedxqfnrwlaluwce.exe guxcgm.exe File opened for modification C:\Windows\tukctmkdvjqtxlzjrsx.exe guxcgm.exe File opened for modification C:\Windows\gizskedxqfnrwlaluwce.exe guxcgm.exe File opened for modification C:\Windows\mqjeyuvrmdntarivgkswpk.exe guxcgm.exe File created C:\Windows\ngoyhsitdjidzflnngdweoxiyjtzytpvb.dwt guxcgm.exe File opened for modification C:\Windows\vyqkdyytndmrxndpzcjme.exe cxtzfhhamhd.exe File opened for modification C:\Windows\vyqkdyytndmrxndpzcjme.exe guxcgm.exe File opened for modification C:\Windows\mqjeyuvrmdntarivgkswpk.exe guxcgm.exe File opened for modification C:\Windows\zymcrievlxcdfrdlr.exe cxtzfhhamhd.exe File opened for modification C:\Windows\iixoewtlcpvxanajqq.exe cxtzfhhamhd.exe File opened for modification C:\Windows\tukctmkdvjqtxlzjrsx.exe cxtzfhhamhd.exe File opened for modification C:\Windows\sqdsgwrhwhllmxip.exe guxcgm.exe File opened for modification C:\Windows\iixoewtlcpvxanajqq.exe guxcgm.exe File opened for modification C:\Windows\zymcrievlxcdfrdlr.exe guxcgm.exe File opened for modification C:\Windows\iixoewtlcpvxanajqq.exe guxcgm.exe File opened for modification C:\Windows\webayyddcxlvgbwnckweba.ydd guxcgm.exe File opened for modification C:\Windows\sqdsgwrhwhllmxip.exe cxtzfhhamhd.exe File opened for modification C:\Windows\gizskedxqfnrwlaluwce.exe cxtzfhhamhd.exe File opened for modification C:\Windows\zymcrievlxcdfrdlr.exe guxcgm.exe File opened for modification C:\Windows\sqdsgwrhwhllmxip.exe guxcgm.exe File opened for modification C:\Windows\vyqkdyytndmrxndpzcjme.exe guxcgm.exe File created C:\Windows\webayyddcxlvgbwnckweba.ydd guxcgm.exe File opened for modification C:\Windows\ngoyhsitdjidzflnngdweoxiyjtzytpvb.dwt guxcgm.exe File opened for modification C:\Windows\mqjeyuvrmdntarivgkswpk.exe cxtzfhhamhd.exe File opened for modification C:\Windows\tukctmkdvjqtxlzjrsx.exe guxcgm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language assasin terror.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cxtzfhhamhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language guxcgm.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1260 assasin terror.exe 1260 assasin terror.exe 1260 assasin terror.exe 1260 assasin terror.exe 1260 assasin terror.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2860 guxcgm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1260 wrote to memory of 1700 1260 assasin terror.exe 30 PID 1260 wrote to memory of 1700 1260 assasin terror.exe 30 PID 1260 wrote to memory of 1700 1260 assasin terror.exe 30 PID 1260 wrote to memory of 1700 1260 assasin terror.exe 30 PID 1700 wrote to memory of 2860 1700 cxtzfhhamhd.exe 31 PID 1700 wrote to memory of 2860 1700 cxtzfhhamhd.exe 31 PID 1700 wrote to memory of 2860 1700 cxtzfhhamhd.exe 31 PID 1700 wrote to memory of 2860 1700 cxtzfhhamhd.exe 31 PID 1700 wrote to memory of 2616 1700 cxtzfhhamhd.exe 32 PID 1700 wrote to memory of 2616 1700 cxtzfhhamhd.exe 32 PID 1700 wrote to memory of 2616 1700 cxtzfhhamhd.exe 32 PID 1700 wrote to memory of 2616 1700 cxtzfhhamhd.exe 32 -
System policy modification 1 TTPs 17 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cxtzfhhamhd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" cxtzfhhamhd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" cxtzfhhamhd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" cxtzfhhamhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System guxcgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System guxcgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" cxtzfhhamhd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cxtzfhhamhd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cxtzfhhamhd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guxcgm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" cxtzfhhamhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cxtzfhhamhd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cxtzfhhamhd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cxtzfhhamhd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" guxcgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cxtzfhhamhd.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" guxcgm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\assasin terror.exe"C:\Users\Admin\AppData\Local\Temp\assasin terror.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\cxtzfhhamhd.exe"C:\Users\Admin\AppData\Local\Temp\cxtzfhhamhd.exe" "c:\users\admin\appdata\local\temp\assasin terror.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\guxcgm.exe"C:\Users\Admin\AppData\Local\Temp\guxcgm.exe" "-C:\Users\Admin\AppData\Local\Temp\sqdsgwrhwhllmxip.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2860
-
-
C:\Users\Admin\AppData\Local\Temp\guxcgm.exe"C:\Users\Admin\AppData\Local\Temp\guxcgm.exe" "-C:\Users\Admin\AppData\Local\Temp\sqdsgwrhwhllmxip.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2616
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
320KB
MD5b3bdef94f94e8ff4e050f028004eb0de
SHA12ba7161ffaa14ce8ed270e12cdfbebd55cbee4a7
SHA2563675695291696ca22973fa3f1795d3bf61be5e414a461bd734fdbc52abd72e56
SHA512b1149d0124d9f4cdd436cdcd0309ae12b68b394ebfe0eeff321619a036ae6a13543679ea6683c4a0367e6b71edb16f68f68220f54c5cbde3a5bbbec7142c117c
-
Filesize
4KB
MD538aaf86210318a8831250ebdc1f0f6f7
SHA14861f7165783fde665b892c001420905163f4f30
SHA2566f23250f83b07f78ad8a1058fc39015840716f425200d4ee300a126249962035
SHA51240023a5175edd751b6b88fe37e12548b8efd7e70c1bfc7ff597a9f74aa526c45e8df7cb6ab2eeb8a6493321846c6f54f8d61eb655cf9e6b300aed2bd75ae4b57
-
Filesize
280B
MD53fd74b3f4c8129de2f1d3e34e23e8244
SHA1d701b2501e5cf7f3b1257f9de8e10d8ea5966349
SHA2563c344a39fa3934aa19e25f576013e8ba469853386ba7f0dfe0709d73db62ef4f
SHA5120201691b2be194784dc9f54b955ec5c59b6adbc367f42e6307678b9f92db72c2c206f8cb48c58684b654b1277f1e93be17d3dbae0ac0d77b9adbb678ce5d3ae6
-
Filesize
456KB
MD5b46ee2dfaa9ff0d313f2961dfed817de
SHA1f0cc165c55eb0cefc228ef74546f2af7bf046dd5
SHA256a10701e1ca478e967fe767382a33025aef1183259e0d1aff990f5f9b34335fb6
SHA5128fe28ea982f48e9d79a0c06b9c17ad0a350c594115bc88a65456feae50b261e196bd886d703e7b4cada1588b205d93492502c3632bba898bb5e2909f5ecfc829
-
Filesize
720KB
MD53be07f33e7327012c027e1905df560c8
SHA1c3a765c1293e0f6d885ce98de649ad99cd00b9be
SHA25611c536747af019a14cdf61d2bbbbd9c42458dccbee30f821f4ada7ea42765743
SHA512eda460e0bd6f8fa13199ff2174fa95c94f86234eb29fcdc5df22e7e6ee79ec8809d5eb208da6cc0c3f94ef777f89c1a9c06370155204cf1765c71889708356f3