b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2

Processes:

b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

Change Default File Association

T1042

Processes:

b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

Hidden Files and Directories

Modify Registry

Processes:

b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

Hidden Files and Directories

Modify Registry

Processes:

b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

Disables RegEdit via registry modification 2 IoCs

Processes:

b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 14 IoCs

Processes:

xk.exeIExplorer.exeWINLOGON.EXExk.exeIExplorer.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXESMSS.EXECSRSS.EXESERVICES.EXELSASS.EXESMSS.EXE

pid	process
2212	xk.exe
1160	IExplorer.exe
4924	WINLOGON.EXE
980	xk.exe
3768	IExplorer.exe
1108	WINLOGON.EXE
3712	CSRSS.EXE
4700	SERVICES.EXE
3240	LSASS.EXE
2024	SMSS.EXE
2960	CSRSS.EXE
3680	SERVICES.EXE
4104	LSASS.EXE
224	SMSS.EXE

UPX packed file 40 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1056-130-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Windows\xk.exe	upx
C:\Windows\xk.exe	upx
behavioral2/memory/2212-139-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Windows\SysWOW64\IExplorer.exe	upx
C:\Windows\SysWOW64\IExplorer.exe	upx
behavioral2/memory/1160-144-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE	upx
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE	upx
behavioral2/memory/4924-150-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Windows\xk.exe	upx
behavioral2/memory/980-156-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Windows\SysWOW64\IExplorer.exe	upx
behavioral2/memory/3768-158-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE	upx
behavioral2/memory/3768-161-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1108-166-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE	upx
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE	upx
behavioral2/memory/3712-172-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE	upx
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE	upx
behavioral2/memory/4700-178-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE	upx
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE	upx
behavioral2/memory/3240-184-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE	upx
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE	upx
behavioral2/memory/2024-190-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1056-191-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE	upx
behavioral2/memory/2960-196-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE	upx
behavioral2/memory/3680-199-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3680-203-0x0000000000400000-0x0000000000430000-memory.dmp	upx
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE	upx
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE	upx
behavioral2/memory/4104-207-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/224-212-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1056-213-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run\	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

description	ioc	process
File opened for modification	C:\desktop.ini	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File created	C:\desktop.ini	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

description	ioc	process
File opened (read-only)	\??\U:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\F:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\K:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\L:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\M:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\O:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\P:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\T:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\W:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\H:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\I:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\N:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\B:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\E:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\G:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\Q:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\V:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\X:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\Y:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\J:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\R:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\S:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened (read-only)	\??\Z:	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

Drops file in System32 directory 6 IoCs

Processes:

b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\shell.exe	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File created	C:\Windows\SysWOW64\shell.exe	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File created	C:\Windows\SysWOW64\Mig2.scr	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

Drops file in Windows directory 2 IoCs

Processes:

b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

description	ioc	process
File opened for modification	C:\Windows\xk.exe	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
File created	C:\Windows\xk.exe	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

Modifies Control Panel 4 IoCs

Processes:

b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

Modifies registry class 15 IoCs

Processes:

b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

pid	process
1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exexk.exeIExplorer.exeWINLOGON.EXExk.exeIExplorer.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXESMSS.EXECSRSS.EXESERVICES.EXELSASS.EXESMSS.EXE

pid	process
1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
2212	xk.exe
1160	IExplorer.exe
4924	WINLOGON.EXE
980	xk.exe
3768	IExplorer.exe
1108	WINLOGON.EXE
3712	CSRSS.EXE
4700	SERVICES.EXE
3240	LSASS.EXE
2024	SMSS.EXE
2960	CSRSS.EXE
3680	SERVICES.EXE
4104	LSASS.EXE
224	SMSS.EXE

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

description	pid	process	target process
PID 1056 wrote to memory of 2212	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	xk.exe
PID 1056 wrote to memory of 2212	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	xk.exe
PID 1056 wrote to memory of 2212	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	xk.exe
PID 1056 wrote to memory of 1160	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	IExplorer.exe
PID 1056 wrote to memory of 1160	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	IExplorer.exe
PID 1056 wrote to memory of 1160	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	IExplorer.exe
PID 1056 wrote to memory of 4924	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	WINLOGON.EXE
PID 1056 wrote to memory of 4924	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	WINLOGON.EXE
PID 1056 wrote to memory of 4924	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	WINLOGON.EXE
PID 1056 wrote to memory of 980	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	xk.exe
PID 1056 wrote to memory of 980	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	xk.exe
PID 1056 wrote to memory of 980	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	xk.exe
PID 1056 wrote to memory of 3768	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	IExplorer.exe
PID 1056 wrote to memory of 3768	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	IExplorer.exe
PID 1056 wrote to memory of 3768	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	IExplorer.exe
PID 1056 wrote to memory of 1108	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	WINLOGON.EXE
PID 1056 wrote to memory of 1108	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	WINLOGON.EXE
PID 1056 wrote to memory of 1108	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	WINLOGON.EXE
PID 1056 wrote to memory of 3712	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	CSRSS.EXE
PID 1056 wrote to memory of 3712	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	CSRSS.EXE
PID 1056 wrote to memory of 3712	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	CSRSS.EXE
PID 1056 wrote to memory of 4700	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	SERVICES.EXE
PID 1056 wrote to memory of 4700	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	SERVICES.EXE
PID 1056 wrote to memory of 4700	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	SERVICES.EXE
PID 1056 wrote to memory of 3240	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	LSASS.EXE
PID 1056 wrote to memory of 3240	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	LSASS.EXE
PID 1056 wrote to memory of 3240	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	LSASS.EXE
PID 1056 wrote to memory of 2024	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	SMSS.EXE
PID 1056 wrote to memory of 2024	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	SMSS.EXE
PID 1056 wrote to memory of 2024	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	SMSS.EXE
PID 1056 wrote to memory of 2960	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	CSRSS.EXE
PID 1056 wrote to memory of 2960	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	CSRSS.EXE
PID 1056 wrote to memory of 2960	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	CSRSS.EXE
PID 1056 wrote to memory of 3680	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	SERVICES.EXE
PID 1056 wrote to memory of 3680	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	SERVICES.EXE
PID 1056 wrote to memory of 3680	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	SERVICES.EXE
PID 1056 wrote to memory of 4104	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	LSASS.EXE
PID 1056 wrote to memory of 4104	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	LSASS.EXE
PID 1056 wrote to memory of 4104	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	LSASS.EXE
PID 1056 wrote to memory of 224	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	SMSS.EXE
PID 1056 wrote to memory of 224	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	SMSS.EXE
PID 1056 wrote to memory of 224	1056	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe	SMSS.EXE

System policy modification 1 TTPs 4 IoCs

Modify Registry

Processes:

b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe

C:\Users\Admin\AppData\Local\Temp\b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe
"C:\Users\Admin\AppData\Local\Temp\b8e309c3d298b53ddf03e0e0e6b06eb6e3c6471c3718df83fa65211a374254d2.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1056

C:\Windows\xk.exe
C:\Windows\xk.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2212

C:\Windows\SysWOW64\IExplorer.exe
C:\Windows\system32\IExplorer.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1160

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4924

C:\Windows\xk.exe
C:\Windows\xk.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:980

C:\Windows\SysWOW64\IExplorer.exe
C:\Windows\system32\IExplorer.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3768

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1108

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3712

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3240

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2024

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2960

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3680

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4104

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Hidden Files and Directories

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories