384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Size

1.3MB
MD5

9e20a4c72ce5e53b60208f84cdc1d05c
SHA1

862f6e5d96de2bd4d65700bcc01932e2068ecd25
SHA256

384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd
SHA512

1fed8b1c63bd5737f1af4b5e9ed8c29b2bd09f8f8f8aebb5becb75efe354912034165f687466e18e5cb5df13281f97067dfaa437e131ddbd419d1e8e4ddcd333
SSDEEP

12288:BXgvmzFHi0mo5aH0qMzd5807FdkPJQPDHvd:BXgvOHi0mGaH0qSdPF84V

Score

10^/10

defense_evasion evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ycjpykq.exeycjpykq.exe384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ycjpykq.exe384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exeycjpykq.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ycjpykq.exe

Adds policy Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ycjpykq.exeycjpykq.exe384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xeoxjyhlwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yohzuskxrkewtwooxhc.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xeoxjyhlwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asnheeynjeautysufrogb.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oylxmeqxlymyp = "lcwplkdrmgbuswpqalhy.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oylxmeqxlymyp = "yohzuskxrkewtwooxhc.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xeoxjyhlwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nculfctfyqjawypowf.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xeoxjyhlwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcwplkdrmgbuswpqalhy.exe"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oylxmeqxlymyp = "asnheeynjeautysufrogb.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xeoxjyhlwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkaphcrbsizoiixu.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oylxmeqxlymyp = "lcwplkdrmgbuswpqalhy.exe"	ycjpykq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oylxmeqxlymyp = "nculfctfyqjawypowf.exe"	ycjpykq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xeoxjyhlwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\esjzsoephyqgbcsqx.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oylxmeqxlymyp = "xkaphcrbsizoiixu.exe"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xeoxjyhlwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yohzuskxrkewtwooxhc.exe"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oylxmeqxlymyp = "xkaphcrbsizoiixu.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oylxmeqxlymyp = "esjzsoephyqgbcsqx.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xeoxjyhlwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkaphcrbsizoiixu.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xeoxjyhlwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcwplkdrmgbuswpqalhy.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oylxmeqxlymyp = "yohzuskxrkewtwooxhc.exe"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oylxmeqxlymyp = "yohzuskxrkewtwooxhc.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xeoxjyhlwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nculfctfyqjawypowf.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xeoxjyhlwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcwplkdrmgbuswpqalhy.exe"	ycjpykq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xeoxjyhlwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yohzuskxrkewtwooxhc.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oylxmeqxlymyp = "nculfctfyqjawypowf.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oylxmeqxlymyp = "xkaphcrbsizoiixu.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\xeoxjyhlwg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\esjzsoephyqgbcsqx.exe"	ycjpykq.exe

Disables RegEdit via registry modification 6 IoCs

evasion

Processes:

384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exeycjpykq.exeycjpykq.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ycjpykq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ycjpykq.exe

Executes dropped EXE 2 IoCs

Processes:

ycjpykq.exeycjpykq.exe

pid process

2112 ycjpykq.exe
2248 ycjpykq.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

ycjpykq.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	ycjpykq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	ycjpykq.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	ycjpykq.exe

Loads dropped DLL 4 IoCs

Processes:

384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe

pid	process
2316	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
2316	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
2316	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
2316	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ycjpykq.exe384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exeycjpykq.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sethysgpfukyrqe = "yohzuskxrkewtwooxhc.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\salviyinzkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asnheeynjeautysufrogb.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xkaphcrbsizoiixu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asnheeynjeautysufrogb.exe ."	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\salviyinzkw = "asnheeynjeautysufrogb.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sethysgpfukyrqe = "xkaphcrbsizoiixu.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\esjzsoephyqgbcsqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkaphcrbsizoiixu.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sethysgpfukyrqe = "esjzsoephyqgbcsqx.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\salviyinzkw = "yohzuskxrkewtwooxhc.exe"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sethysgpfukyrqe = "asnheeynjeautysufrogb.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xkaphcrbsizoiixu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\esjzsoephyqgbcsqx.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\paobrkxfuixkca = "nculfctfyqjawypowf.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\esjzsoephyqgbcsqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asnheeynjeautysufrogb.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pykvjalreqdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asnheeynjeautysufrogb.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\paobrkxfuixkca = "nculfctfyqjawypowf.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pykvjalreqdo = "xkaphcrbsizoiixu.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sethysgpfukyrqe = "nculfctfyqjawypowf.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\salviyinzkw = "yohzuskxrkewtwooxhc.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\salviyinzkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yohzuskxrkewtwooxhc.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\paobrkxfuixkca = "xkaphcrbsizoiixu.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\esjzsoephyqgbcsqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcwplkdrmgbuswpqalhy.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pykvjalreqdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkaphcrbsizoiixu.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pykvjalreqdo = "nculfctfyqjawypowf.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\paobrkxfuixkca = "yohzuskxrkewtwooxhc.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\esjzsoephyqgbcsqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yohzuskxrkewtwooxhc.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xkaphcrbsizoiixu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nculfctfyqjawypowf.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\salviyinzkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lcwplkdrmgbuswpqalhy.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\salviyinzkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yohzuskxrkewtwooxhc.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pykvjalreqdo = "esjzsoephyqgbcsqx.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\esjzsoephyqgbcsqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nculfctfyqjawypowf.exe"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pykvjalreqdo = "yohzuskxrkewtwooxhc.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xkaphcrbsizoiixu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yohzuskxrkewtwooxhc.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pykvjalreqdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkaphcrbsizoiixu.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sethysgpfukyrqe = "nculfctfyqjawypowf.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pykvjalreqdo = "xkaphcrbsizoiixu.exe ."	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pykvjalreqdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yohzuskxrkewtwooxhc.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pykvjalreqdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nculfctfyqjawypowf.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sethysgpfukyrqe = "lcwplkdrmgbuswpqalhy.exe ."	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xkaphcrbsizoiixu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\esjzsoephyqgbcsqx.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\paobrkxfuixkca = "lcwplkdrmgbuswpqalhy.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\paobrkxfuixkca = "lcwplkdrmgbuswpqalhy.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\paobrkxfuixkca = "esjzsoephyqgbcsqx.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pykvjalreqdo = "asnheeynjeautysufrogb.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\salviyinzkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\esjzsoephyqgbcsqx.exe"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\salviyinzkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nculfctfyqjawypowf.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\salviyinzkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\esjzsoephyqgbcsqx.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\salviyinzkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asnheeynjeautysufrogb.exe"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xkaphcrbsizoiixu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkaphcrbsizoiixu.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pykvjalreqdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\esjzsoephyqgbcsqx.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sethysgpfukyrqe = "lcwplkdrmgbuswpqalhy.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pykvjalreqdo = "nculfctfyqjawypowf.exe ."	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\salviyinzkw = "esjzsoephyqgbcsqx.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\paobrkxfuixkca = "asnheeynjeautysufrogb.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\salviyinzkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asnheeynjeautysufrogb.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xkaphcrbsizoiixu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yohzuskxrkewtwooxhc.exe ."	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\esjzsoephyqgbcsqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yohzuskxrkewtwooxhc.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pykvjalreqdo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nculfctfyqjawypowf.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\salviyinzkw = "nculfctfyqjawypowf.exe"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\paobrkxfuixkca = "asnheeynjeautysufrogb.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\esjzsoephyqgbcsqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\esjzsoephyqgbcsqx.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\paobrkxfuixkca = "yohzuskxrkewtwooxhc.exe"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\salviyinzkw = "nculfctfyqjawypowf.exe"	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pykvjalreqdo = "yohzuskxrkewtwooxhc.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pykvjalreqdo = "esjzsoephyqgbcsqx.exe ."	ycjpykq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\esjzsoephyqgbcsqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nculfctfyqjawypowf.exe"	ycjpykq.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exeycjpykq.exeycjpykq.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ycjpykq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ycjpykq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 www.whatismyip.ca
9 www.showmyipaddress.com
19 whatismyip.everdot.org
3 whatismyipaddress.com

flow	ioc
8	www.whatismyip.ca
9	www.showmyipaddress.com
19	whatismyip.everdot.org
3	whatismyipaddress.com

Drops file in System32 directory 4 IoCs

Processes:

ycjpykq.exe

description	ioc	process
File created	C:\Windows\SysWOW64\achlscgflqwajycojfmotxeosrx.imv	ycjpykq.exe
File opened for modification	C:\Windows\SysWOW64\xkaphcrbsizoiixuahzmcrjetdukbqkkzwcjbo.tlg	ycjpykq.exe
File created	C:\Windows\SysWOW64\xkaphcrbsizoiixuahzmcrjetdukbqkkzwcjbo.tlg	ycjpykq.exe
File opened for modification	C:\Windows\SysWOW64\achlscgflqwajycojfmotxeosrx.imv	ycjpykq.exe

Drops file in Program Files directory 4 IoCs

Processes:

ycjpykq.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\achlscgflqwajycojfmotxeosrx.imv	ycjpykq.exe
File created	C:\Program Files (x86)\achlscgflqwajycojfmotxeosrx.imv	ycjpykq.exe
File opened for modification	C:\Program Files (x86)\xkaphcrbsizoiixuahzmcrjetdukbqkkzwcjbo.tlg	ycjpykq.exe
File created	C:\Program Files (x86)\xkaphcrbsizoiixuahzmcrjetdukbqkkzwcjbo.tlg	ycjpykq.exe

Drops file in Windows directory 4 IoCs

Processes:

ycjpykq.exe

description	ioc	process
File opened for modification	C:\Windows\achlscgflqwajycojfmotxeosrx.imv	ycjpykq.exe
File created	C:\Windows\achlscgflqwajycojfmotxeosrx.imv	ycjpykq.exe
File opened for modification	C:\Windows\xkaphcrbsizoiixuahzmcrjetdukbqkkzwcjbo.tlg	ycjpykq.exe
File created	C:\Windows\xkaphcrbsizoiixuahzmcrjetdukbqkkzwcjbo.tlg	ycjpykq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ycjpykq.exe

pid	process
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe
2112	ycjpykq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ycjpykq.exe

description pid process

Token: SeDebugPrivilege 2112 ycjpykq.exe

description	pid	process
Token: SeDebugPrivilege	2112	ycjpykq.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe

description	pid	process	target process
PID 2316 wrote to memory of 2112	2316	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe	ycjpykq.exe
PID 2316 wrote to memory of 2112	2316	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe	ycjpykq.exe
PID 2316 wrote to memory of 2112	2316	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe	ycjpykq.exe
PID 2316 wrote to memory of 2112	2316	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe	ycjpykq.exe
PID 2316 wrote to memory of 2248	2316	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe	ycjpykq.exe
PID 2316 wrote to memory of 2248	2316	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe	ycjpykq.exe
PID 2316 wrote to memory of 2248	2316	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe	ycjpykq.exe
PID 2316 wrote to memory of 2248	2316	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe	ycjpykq.exe

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

Processes:

384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exeycjpykq.exeycjpykq.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ycjpykq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ycjpykq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	ycjpykq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	ycjpykq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe

C:\Users\Admin\AppData\Local\Temp\384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe
"C:\Users\Admin\AppData\Local\Temp\384064992f00adf3d56e85fd24ddf8c477b2f44a94f88ca5510d697919fb46cd.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2316

C:\Users\Admin\AppData\Local\Temp\ycjpykq.exe
"C:\Users\Admin\AppData\Local\Temp\ycjpykq.exe" "-"
2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2112

C:\Users\Admin\AppData\Local\Temp\ycjpykq.exe
"C:\Users\Admin\AppData\Local\Temp\ycjpykq.exe" "-"
2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
PID:2248

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\achlscgflqwajycojfmotxeosrx.imv
Filesize
280B

MD5
ca3bfc6047ddbbac7bb7c5b00efd41c9

SHA1
d7177fabca58d07b08c54af28bebaed89c29f5c0

SHA256
6454d6400f50d3224f35a883d4157b2fdffa6b4cb4c70160fd290dfdec9415bb

SHA512
cda91e79686cb1eb183b7c091abeb524d51282dd03695e80b05d75c71ce071abff6a84a6f033348a5714b86d9608b0dd1a5efa18eede0e3e435f1b5f5b0d611c

Download Submit
C:\Program Files (x86)\achlscgflqwajycojfmotxeosrx.imv
Filesize
280B

MD5
46a707649a2cbfface831a74cb9984ba

SHA1
dd6658aae736f3c44dba4a3ebf1530e6e8510ba0

SHA256
66ae82fe395a2205cbbda1c2929784a378af9d5359377e5b2ca612f73b772a00

SHA512
a50f07c79c2a176827a8d94e8fb955bce48b7b9371568afb7da2c9ab8f69e8526792887284acc3ec3f1e74c3d7a8b4c2cf7230ca91da56d9b1de8b2521027e85

Download Submit
C:\Program Files (x86)\achlscgflqwajycojfmotxeosrx.imv
Filesize
280B

MD5
57b033b948fd1682845f53e11c511719

SHA1
b0ca7db59fa438c6bddce344bfa527f69ac88609

SHA256
8eabb3afbe58cf29714b77c74f5cc0ee0be4d110c250d872fcdf7a3166d11702

SHA512
18143f6ff3e83a8024c2e203e2b20e46ed3a0d2bee6ce357f686c778b817e24c0bc6c4df9c8e11d7fabd0ecdf5087442246a6d7a06538abeb3aa7784300cf98f

Download Submit
C:\Program Files (x86)\achlscgflqwajycojfmotxeosrx.imv
Filesize
280B

MD5
dbe60d212b8736e5bdbced9c92548a04

SHA1
bb669af7d7dd21e97a4e3b49f8a7639f70efa5ab

SHA256
52e7c5168e5ac43dd9a1cf2b6e2a851c90b42e617461a3d24efef942188ca80f

SHA512
3b89f588d36d36b9021d02b87a0ef57e78cf8ca533dee2ddc2d138b09c4797fcd4f91b1041b8cfd368dbbd3ffe65936ef8fd6d353205b2c406516bb4b03cc92a

Download Submit
C:\Program Files (x86)\achlscgflqwajycojfmotxeosrx.imv
Filesize
280B

MD5
6dc1877513c89a33735f86065ccd32c1

SHA1
58d84861c84691864b0561a409e32e8ad6cbab13

SHA256
cccc58715097f77a764e9255d2e3cdc3e664df962cf77601bace88664819fa0a

SHA512
894ca701c0d7db8650026535a3b7b1fb33b8cd9fa24dd140d9535352e4530483983268081a286d040f5839a1bd06cfb7108115f2b5b58b542cee5c1a67ccaf18

Download Submit
C:\Program Files (x86)\achlscgflqwajycojfmotxeosrx.imv
Filesize
280B

MD5
aaefe9057562beb78fc38a2b61afbc52

SHA1
c858639729e2f764995b9432f831be6bab50133e

SHA256
e7d784d85e48119c79edf39668da9e44c4242197615cbdcd63e8981a31518da1

SHA512
b5d2b3d566c473c51ef1d2f52b599830323f7d1c4eb9224eceed672eddd593a5fb351799709a44811912dc32ff5ce3b837777dc3579d1e8b2269f4cbe401542d

Download Submit
C:\Program Files (x86)\achlscgflqwajycojfmotxeosrx.imv
Filesize
280B

MD5
b6cfeaa70b3026227e71b15c694bd03b

SHA1
8021d6de3ef7637ee08074741524f7c54f5a2087

SHA256
6a82a9a13f3af585ec37097a3ae685b7aee5d6d19f015f627ab920d4e1520c81

SHA512
6487ac1b696bcfe75219ef0bced8b581525dbfc4ba7814b365164852d333d5c3f91c6fcc5167714db2dccc952c98deda77927793e2149e91fa30bd654549566d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycjpykq.exe
Filesize
2.1MB

MD5
841988cb278121e5e1a90124201663ab

SHA1
fc94f25935235f04b0309cc58c90c54256804247

SHA256
fcb52758b1e316dcd7b7cf7eeaf9f29f3f974d953de5bb077585f774a710c92a

SHA512
3cb124b4a1874a860b0fa35f81ef901765f0c5ef5689b849aae995275e24ba861aacfe761d4650fa548e6bbf523eb62a53c051c44d06ff1657e7471ae356808e

Download Submit
C:\Users\Admin\AppData\Local\achlscgflqwajycojfmotxeosrx.imv
Filesize
280B

MD5
bea9b4786012e0d396b23e03d1500879

SHA1
65d6bd15c182f8d398923a60d629a6e8dd758141

SHA256
2bd6ff794ca278651a09067f697781584ff67d511d04e8fbb35c5bb2fae8a20b

SHA512
f1128cc9670b0abdd6a582c2f6b76e5a6ac9309ba225efb7d1eb6afb2d046823cad38695836088ed7da81b8a1a6b313c75ddd9f2d423e4e954a56f92312e2d8d

Download Submit
C:\Users\Admin\AppData\Local\xkaphcrbsizoiixuahzmcrjetdukbqkkzwcjbo.tlg
Filesize
4KB

MD5
5fa6362637deb23e396dea5c29c6498b

SHA1
c5de3e3b62af4e4902e8a562e59ae1b260cad0e7

SHA256
fcf9baf3fcc4eaae6635abf52dfc3aa25e9eb6373cbbde7199af55de8ec0cf6f

SHA512
5760e0ff243191d19a75b4f5c4814896b0526e80ee8bbb8281e195c2f83fc652d23f7570dd89fbdc7937c2b01ada5e3a1a78e7b201672b8690f56cd94b2dbb4c

Download Submit