c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
Size

920KB
MD5

5c082fea579b6c72d426961c2342c625
SHA1

a6160691d1f1a8408e12c3ae6a58a702b67df05b
SHA256

c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06
SHA512

0eaf60ed57b0a88fc774b28a6c1bc3992c28811805f79debbafeb2abf37b07800609b344268583b73f6e8e0149d773bf8579cdf768ba091eeb864743d840b824
SSDEEP

6144:es0Coo08x5IFkvtcwKuHhPAznhJBy1J5CQSojuQ8SRyYnaNSOuxJ5CQSojuQ8SRW:eIXzFJHm7hD7QuJNYnncQuJrnuYnn

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exelsass.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe

Executes dropped EXE 3 IoCs

Processes:

lsass.exelsass.exelsass.exe

pid process

1932 lsass.exe
656 lsass.exe
1064 lsass.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1880 netsh.exe

pid	process
1932	lsass.exe
656	lsass.exe
1064	lsass.exe

pid	process
1880	netsh.exe

Loads dropped DLL 2 IoCs

Processes:

c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe

pid	process
1952	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
1952	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lsass.exec39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "\"C:\\Users\\Admin\\AppData\\Roaming\\lsass.exe\""	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	lsass.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exelsass.exe

description	pid	process	target process
PID 748 set thread context of 1952	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 748 set thread context of 2032	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 1932 set thread context of 656	1932	lsass.exe	lsass.exe
PID 1932 set thread context of 1064	1932	lsass.exe	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F848E1D1-4375-11ED-B531-52E8C5FCC7C7} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c000000000200000000001066000000010000200000006eb2f3179efccf76642bdf437b0090b3d17287722f1feeed29c3eea7e86ae38a000000000e8000000002000020000000783031e191a24f1eec7d7b3abb81bb9b79cce3b4fd0b6ec51a287c554e537dd7900000003201433a25ef1ea4c938334fe2d6c166471babe56e302623733b1ca72bc6b02e1c86c8e2c3091dbc1eb1c7c7b31d4817919996e786bf19f3e98a8d71dbc52dbb416289b100f661a0eac920c126c1f1dd6e0979a4ce6b5133b0405a8ef0172afcb98fec0b87e386e1658eaad7b91fda573896a62db65546c5a44ce7794daec7ccce32d04a9f4a4d3ca720fa463a997d6440000000d0da2c4e1637f82c0da740f8d2ccea2719ebf5c8b0ab671db5e1de76152e05c99a737c03819f02c93379ac15c3b58cd0604b7046ad84901ef1005fea36e65947	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371605925"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c000000000200000000001066000000010000200000005f9320076f82847f27751c95026850bf9777d0561d37fa30fe9485fee741464e000000000e8000000002000020000000d86a6d0ab53ab40de8eae12c63bea1d494034923bea336da3436e6076662e7ec20000000d01a7c30c2eaec5d3a29806cdbb71f99416c0451af7e24ea28521475b4f691e040000000c667e3dde96507e20c4f068128487bbf49054ae8067767b45697bd0c0af998f5245bba2d69a7047611a368110c22d182f059b26abd41bb4b14c7fd7a02f78c0b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 908b50d782d7d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F6D329F1-4375-11ED-B531-52E8C5FCC7C7} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

1996 iexplore.exe
956 iexplore.exe

pid	process
1996	iexplore.exe
956	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exec39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exelsass.exelsass.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
1952	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
1932	lsass.exe
656	lsass.exe
1996	iexplore.exe
1996	iexplore.exe
956	iexplore.exe
956	iexplore.exe
1176	IEXPLORE.EXE
1524	IEXPLORE.EXE
1524	IEXPLORE.EXE
1176	IEXPLORE.EXE
1176	IEXPLORE.EXE
1176	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

description	pid	process	target process
PID 748 wrote to memory of 1952	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 748 wrote to memory of 1952	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 748 wrote to memory of 1952	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 748 wrote to memory of 1952	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 748 wrote to memory of 1952	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 748 wrote to memory of 1952	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 748 wrote to memory of 1952	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 748 wrote to memory of 1952	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 748 wrote to memory of 1952	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 748 wrote to memory of 2032	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 748 wrote to memory of 2032	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 748 wrote to memory of 2032	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 748 wrote to memory of 2032	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 748 wrote to memory of 2032	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 748 wrote to memory of 2032	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 748 wrote to memory of 2032	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 748 wrote to memory of 2032	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 748 wrote to memory of 2032	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 748 wrote to memory of 2032	748	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
PID 1952 wrote to memory of 1880	1952	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	netsh.exe
PID 1952 wrote to memory of 1880	1952	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	netsh.exe
PID 1952 wrote to memory of 1880	1952	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	netsh.exe
PID 1952 wrote to memory of 1880	1952	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	netsh.exe
PID 1952 wrote to memory of 1932	1952	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	lsass.exe
PID 1952 wrote to memory of 1932	1952	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	lsass.exe
PID 1952 wrote to memory of 1932	1952	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	lsass.exe
PID 1952 wrote to memory of 1932	1952	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	lsass.exe
PID 1932 wrote to memory of 656	1932	lsass.exe	lsass.exe
PID 1932 wrote to memory of 656	1932	lsass.exe	lsass.exe
PID 1932 wrote to memory of 656	1932	lsass.exe	lsass.exe
PID 1932 wrote to memory of 656	1932	lsass.exe	lsass.exe
PID 1932 wrote to memory of 656	1932	lsass.exe	lsass.exe
PID 1932 wrote to memory of 656	1932	lsass.exe	lsass.exe
PID 1932 wrote to memory of 656	1932	lsass.exe	lsass.exe
PID 1932 wrote to memory of 656	1932	lsass.exe	lsass.exe
PID 1932 wrote to memory of 656	1932	lsass.exe	lsass.exe
PID 1932 wrote to memory of 1064	1932	lsass.exe	lsass.exe
PID 1932 wrote to memory of 1064	1932	lsass.exe	lsass.exe
PID 1932 wrote to memory of 1064	1932	lsass.exe	lsass.exe
PID 1932 wrote to memory of 1064	1932	lsass.exe	lsass.exe
PID 1932 wrote to memory of 1064	1932	lsass.exe	lsass.exe
PID 1932 wrote to memory of 1064	1932	lsass.exe	lsass.exe
PID 1932 wrote to memory of 1064	1932	lsass.exe	lsass.exe
PID 1932 wrote to memory of 1064	1932	lsass.exe	lsass.exe
PID 1932 wrote to memory of 1064	1932	lsass.exe	lsass.exe
PID 1932 wrote to memory of 1064	1932	lsass.exe	lsass.exe
PID 1064 wrote to memory of 1996	1064	lsass.exe	iexplore.exe
PID 1064 wrote to memory of 1996	1064	lsass.exe	iexplore.exe
PID 1064 wrote to memory of 1996	1064	lsass.exe	iexplore.exe
PID 1064 wrote to memory of 1996	1064	lsass.exe	iexplore.exe
PID 2032 wrote to memory of 956	2032	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	iexplore.exe
PID 2032 wrote to memory of 956	2032	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	iexplore.exe
PID 2032 wrote to memory of 956	2032	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	iexplore.exe
PID 2032 wrote to memory of 956	2032	c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe	iexplore.exe
PID 1996 wrote to memory of 1176	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1176	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1176	1996	iexplore.exe	IEXPLORE.EXE
PID 1996 wrote to memory of 1176	1996	iexplore.exe	IEXPLORE.EXE
PID 956 wrote to memory of 1524	956	iexplore.exe	IEXPLORE.EXE
PID 956 wrote to memory of 1524	956	iexplore.exe	IEXPLORE.EXE
PID 956 wrote to memory of 1524	956	iexplore.exe	IEXPLORE.EXE
PID 956 wrote to memory of 1524	956	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
"C:\Users\Admin\AppData\Local\Temp\c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
C:\Users\Admin\AppData\Local\Temp\c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram program = C:\Users\Admin\AppData\Roaming\lsass.exename = Nero mode = ENABLE
3⤵
- Modifies Windows Firewall
PID:1880

C:\Users\Admin\AppData\Roaming\lsass.exe
"C:\Users\Admin\AppData\Roaming\lsass.exe" /d C:\Users\Admin\AppData\Local\Temp\c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Roaming\lsass.exe
C:\Users\Admin\AppData\Roaming\lsass.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:656

C:\Users\Admin\AppData\Roaming\lsass.exe
C:\Users\Admin\AppData\Roaming\lsass.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1064

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=lsass.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:340993 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1176

C:\Users\Admin\AppData\Local\Temp\c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
C:\Users\Admin\AppData\Local\Temp\c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=c39c77b0016195a9bdc4bd077b1b125d2f60cc0016a3f84a68d6c58bf4852e06.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:956 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F6D329F1-4375-11ED-B531-52E8C5FCC7C7}.dat
Filesize
4KB

MD5
cb2af38294b4c68b8ac1e87142b0dcdb

SHA1
beaf3cd99027224844c0536592a84c843422745c

SHA256
f35dd79e854cd7b788230a5a27c2bb622145feeacc6dbd42837463fafba16833

SHA512
cbb803320ec7941e9a21c44b766792d37b56120280ad9091fd36e3e7c3a8316fe953b0f9c85bfb91f6f65c727179afad2927315db28bd49c4d2420923c471ba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F848E1D1-4375-11ED-B531-52E8C5FCC7C7}.dat
Filesize
3KB

MD5
06615b52daee18a6a6e3a928391d1ee7

SHA1
13249529c7ef7368ce765ed4f7b47cdfb2e9bcd3

SHA256
7b726519868dd947c24bb9061cf6758210d0699a23139e0cef19c23b592a35d0

SHA512
39ff306139a8d492584ea4495edd72606af3f8a24b1ae75f4d48323d87fbc535b9e959512f6cf47874329b3e1db8912eea49018c41289ba9270753f4152aa8ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3T5HJ87D.txt
Filesize
606B

MD5
fe1e32dff35c6f8f9cb82e8c38057bb6

SHA1
b2be9b497dc8a0367a8ae1cb0f734b6f7ddf0a34

SHA256
95fa3d67b72e2aa2d79e7bfe07cfe175f3eba24e62700939efb5be79a2b756f7

SHA512
491cae2159b358d1034aeda83b2b6dfba445562d98bee673f076dfe714780466332861048996855ad19a691eec9b8f530001a17a949b44fbad0d2bf1436bee9a

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe
Filesize
920KB

MD5
32510428a9e2c22fad9e41a110dc962d

SHA1
69d55915b563f7cfbfb175e1aed43475bc9b8de9

SHA256
767a8456f2ae7a813552329af103841d1b7f29d2304a2c25189d0c5efbb60640

SHA512
9259838da27b1e1a3c0f060bcad2c7b5632ece888b1849e67bc9ebcd39797f263bdbbbf1a954558a292526e66eebea11970060bb4adb9df55576f15797c756e9

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe
Filesize
920KB

MD5
32510428a9e2c22fad9e41a110dc962d

SHA1
69d55915b563f7cfbfb175e1aed43475bc9b8de9

SHA256
767a8456f2ae7a813552329af103841d1b7f29d2304a2c25189d0c5efbb60640

SHA512
9259838da27b1e1a3c0f060bcad2c7b5632ece888b1849e67bc9ebcd39797f263bdbbbf1a954558a292526e66eebea11970060bb4adb9df55576f15797c756e9

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe
Filesize
920KB

MD5
32510428a9e2c22fad9e41a110dc962d

SHA1
69d55915b563f7cfbfb175e1aed43475bc9b8de9

SHA256
767a8456f2ae7a813552329af103841d1b7f29d2304a2c25189d0c5efbb60640

SHA512
9259838da27b1e1a3c0f060bcad2c7b5632ece888b1849e67bc9ebcd39797f263bdbbbf1a954558a292526e66eebea11970060bb4adb9df55576f15797c756e9

Download Submit
C:\Users\Admin\AppData\Roaming\lsass.exe
Filesize
920KB

MD5
32510428a9e2c22fad9e41a110dc962d

SHA1
69d55915b563f7cfbfb175e1aed43475bc9b8de9

SHA256
767a8456f2ae7a813552329af103841d1b7f29d2304a2c25189d0c5efbb60640

SHA512
9259838da27b1e1a3c0f060bcad2c7b5632ece888b1849e67bc9ebcd39797f263bdbbbf1a954558a292526e66eebea11970060bb4adb9df55576f15797c756e9

Download Submit
\Users\Admin\AppData\Roaming\lsass.exe
Filesize
920KB

MD5
32510428a9e2c22fad9e41a110dc962d

SHA1
69d55915b563f7cfbfb175e1aed43475bc9b8de9

SHA256
767a8456f2ae7a813552329af103841d1b7f29d2304a2c25189d0c5efbb60640

SHA512
9259838da27b1e1a3c0f060bcad2c7b5632ece888b1849e67bc9ebcd39797f263bdbbbf1a954558a292526e66eebea11970060bb4adb9df55576f15797c756e9

Download Submit
\Users\Admin\AppData\Roaming\lsass.exe
Filesize
920KB

MD5
32510428a9e2c22fad9e41a110dc962d

SHA1
69d55915b563f7cfbfb175e1aed43475bc9b8de9

SHA256
767a8456f2ae7a813552329af103841d1b7f29d2304a2c25189d0c5efbb60640

SHA512
9259838da27b1e1a3c0f060bcad2c7b5632ece888b1849e67bc9ebcd39797f263bdbbbf1a954558a292526e66eebea11970060bb4adb9df55576f15797c756e9

Download Submit
memory/656-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/656-122-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/656-95-0x0000000000402A0C-mapping.dmp

Download
memory/748-78-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1064-108-0x0000000000464A8E-mapping.dmp

Download
memory/1880-81-0x0000000000000000-mapping.dmp

Download
memory/1932-114-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/1932-84-0x0000000000000000-mapping.dmp

Download
memory/1952-80-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1952-115-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1952-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1952-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1952-59-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1952-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1952-62-0x0000000000402A0C-mapping.dmp

Download
memory/1952-61-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-74-0x0000000000464A8E-mapping.dmp

Download
memory/2032-67-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2032-65-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2032-68-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2032-64-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2032-72-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2032-73-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2032-76-0x0000000000402000-0x0000000000464C00-memory.dmp

Filesize
395KB

Download
memory/2032-77-0x0000000000402000-0x0000000000464C00-memory.dmp

Filesize
395KB

Download