ff9e1c96074354c5448826c8b235ac900f69d29698d112899850f69640a9372c

Analysis

max time kernel
190s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2022 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff9e1c96074354c5448826c8b235ac900f69d29698d112899850f69640a9372c.exe
Size

997KB
MD5

838b7026d2fc8658ad6aa4d09f222675
SHA1

4f8bff1d7a33cf72b653202cb5676a45d7d04b36
SHA256

ff9e1c96074354c5448826c8b235ac900f69d29698d112899850f69640a9372c
SHA512

542dfc5f3e2a0425366fb98271263571d683a859d3f465fadc9a28061bf7cd615071f37712419362e3d60d42a848ad7174bc6ea3b3518a80dc99b45ebdb3fd89
SSDEEP

1536:2fRN2/SWANOttpVxXVIXKL7mxUH1OibPoQT9lnouy8:EOAKnrq6Oxo1OcRJ9out

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 18 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-68558578"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-8853500"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-2459824"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-73259138"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 2 IoCs

pid	Process
1104	winlogon.exe
4204	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nav32_loader.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nui.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supporter5.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswinntse.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xscan.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Filemon.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spider.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmgrdian.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmgrdian.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpfnt206.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsetup.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mu0311ad.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winhlpp32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpnt.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgui.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nc2000.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavcl.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwin9x.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\whoswatchingme.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpd.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netinfo.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symtray.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Diskmon.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieDcomLaunch.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgavrte.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapw32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7win.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mu0311ad.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ncinst4.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ave32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpf.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sbserv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusmdpersonalfirewall.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w32dsm89.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hwpe.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds2-98.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalarm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv9.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wyvernworksfirewall.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecengine.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htlog.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgui.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neomonitor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpcmap.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcip10117_0.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgm32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswinntse.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iamserv.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsuppnt.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notstart.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavcl.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tauscan.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vshwin32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tfak.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MICROSOFTEDGEUPDATE.EXE	winlogon.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2400-134-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x000400000001e81b-137.dat	upx
behavioral2/memory/2400-138-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x000400000001e81b-136.dat	upx
behavioral2/memory/1104-141-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4204-143-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/files/0x000400000001e81b-144.dat	upx
behavioral2/memory/4204-146-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4204-147-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4204-156-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4204-157-0x0000000000400000-0x000000000043F000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ff9e1c96074354c5448826c8b235ac900f69d29698d112899850f69640a9372c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3434255584152474 = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3434255584152474 = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1104 set thread context of 4204	1104	winlogon.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Sound	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Sound\Beep = "no"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "8753"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a10000000000200000000001066000000010000200000003d749b4f58a8dee19b17a783697a2b531796436ca6362e93d0bafcfd938a5e79000000000e800000000200002000000062f85fa7c26526d0e4629234c69eb4b9597ba4b63b66555cf9bf1048d21753ca2000000066985453dcf41bec50d90070b3dcae60b7f5bf087c1724d9b146e0b447e58b3940000000ac4527127fcba26bac65f1c284c28d4afbc7fb62dab6da43f95cb31fa539f320e1a5456bb893efb925cb938fb157140c07e007256259f410807e35e8fb8c0505	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e03563b2f9ebd801	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://5f47s3c911id3gv.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2361558705"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "6"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "1155"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "http://46xd55g0xoon8ev.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1161"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B31D1153-57EC-11ED-89AC-C264E7FE3618} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2361558705"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993401"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "1161"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000975fab978604b14697eb522259e91a100000000002000000000010660000000100002000000045cb1b406e6eb00a83d04f3e05a2605070eb9bdfdf3280f72043abc6a8749319000000000e8000000002000020000000983b01930d37a10896f3956e21d50ae4615f86d815cb0da8f3952ebab4c60777200000003a30eb314c11c909792570d74a146320060b4eedfcbce3221b2b757948b8ecf4400000003e34866ec1297119f204eada6f03718e1719e1c8e21c702bc402e487e2f31a8ed8be68601863fbd88914b8b1a05655ca22236255253787a7130534c4eec6e015	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "200"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://nwm049898947hwj.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30993401"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b078b6a6f9ebd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "8753"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "197"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "282"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "197"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "115"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hugedomains.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "282"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "200"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Local Page = "http://9pl9mw2o155a9e8.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2369371417"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2369371417"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "197"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1040"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://k3vp84c32a5m3e3.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "6"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "282"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://7umtpmlr581ncqu.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://9drou2w01p173q0.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "1040"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://35bi429hq57m143.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://wo0hxds8loml2o9.directorio-w.com"	winlogon.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{5448FCCB-6592-4679-B833-FA7252262375}	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{45A160CE-E43C-432F-9A2A-F3774733F456}	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	winlogon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	winlogon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe
4204	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	4204	winlogon.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4276	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2400	ff9e1c96074354c5448826c8b235ac900f69d29698d112899850f69640a9372c.exe
1104	winlogon.exe
4204	winlogon.exe
4276	iexplore.exe
4276	iexplore.exe
4324	IEXPLORE.EXE
4324	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 1104	2400	ff9e1c96074354c5448826c8b235ac900f69d29698d112899850f69640a9372c.exe	82
PID 2400 wrote to memory of 1104	2400	ff9e1c96074354c5448826c8b235ac900f69d29698d112899850f69640a9372c.exe	82
PID 2400 wrote to memory of 1104	2400	ff9e1c96074354c5448826c8b235ac900f69d29698d112899850f69640a9372c.exe	82
PID 1104 wrote to memory of 4204	1104	winlogon.exe	83
PID 1104 wrote to memory of 4204	1104	winlogon.exe	83
PID 1104 wrote to memory of 4204	1104	winlogon.exe	83
PID 1104 wrote to memory of 4204	1104	winlogon.exe	83
PID 1104 wrote to memory of 4204	1104	winlogon.exe	83
PID 1104 wrote to memory of 4204	1104	winlogon.exe	83
PID 1104 wrote to memory of 4204	1104	winlogon.exe	83
PID 1104 wrote to memory of 4204	1104	winlogon.exe	83
PID 4276 wrote to memory of 4324	4276	iexplore.exe	90
PID 4276 wrote to memory of 4324	4276	iexplore.exe	90
PID 4276 wrote to memory of 4324	4276	iexplore.exe	90

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\ff9e1c96074354c5448826c8b235ac900f69d29698d112899850f69640a9372c.exe
"C:\Users\Admin\AppData\Local\Temp\ff9e1c96074354c5448826c8b235ac900f69d29698d112899850f69640a9372c.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\E696D64614\winlogon.exe
  "C:\Users\Admin\E696D64614\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - UAC bypass
    - Windows security bypass
    - Disables RegEdit via registry modification
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Sets file execution options in registry
    - Windows security modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:4204

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4280

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4276 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
34feb9279587011e5bd1bc825e7d2943

SHA1
d7ad421c0f4c305936e4b6b1ee3b4d73dea0b094

SHA256
96b9b67b871e3adbab0a5b0ba635679443636a97c7dd2f19fec1b45a2dd36a5d

SHA512
9fd6ff36a966661ab2ccd5e0c2dd0b24661fc87686fe039db97f79eecbb1504ac9735462b16d8657ef900e3bc405c149ff98c32aa1c682b83d2ffd2382b5f285

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9

Filesize
506B

MD5
3d7b0627fee097a430d320bd8c68fe18

SHA1
0a87d13d3cf959c0766823a0a3b9ba915d78d451

SHA256
daacc20224c99d0f6de9d92e9c1c28a4d66cd085c2c4c38c4122a1202fe70d75

SHA512
31e37df96c288532b16fa7a2f182226888b4a3b63410f0df2a08daeaa9d66ef910f469e16978cced9aaa202853031eb0385653c6680af0646828ea1cc1b64c28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
a66314123c8c72372bcb8583a5400a95

SHA1
fc3e45060463c37775da0bd4a8920296d222753d

SHA256
657c92d95798fc5dad4272f3d6d71776737ac0bcdce4ac6864ca5532f2ccf34d

SHA512
d9f5c243b04d7b3fbbcb37c68c583db672390644500cfa4d58280048d9fde52c668fd67e84ecd6ace20b2813eefb756627adbd04a6f19719f6e907aa3fffe4f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F

Filesize
472B

MD5
2dab1f757cc31050f6d69fdd4fa19758

SHA1
b33d0a0c447289ba292b1c72c0a32e941956dfc9

SHA256
4776d094340d32dcc2708c743cf0c2af2db8713cce715e1e2e3245990e45e1df

SHA512
3d4474d34fb57079406ccf8380a5c82d4a06bb415a3b397764dfa6c813b492e3003aa308d5cdb807b67c42197732d6efb5196b092cf5431be31ab52e799f08d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
eb8a30c3253e0e0471f222fb33ffa1b3

SHA1
7ef5daae4b9d700e88e360758e1a2ca58054c27e

SHA256
45e9fa4bd1a1ddaf2cb6df9602306131431eaef76c28332f9edf0769e5d61466

SHA512
c060ef66827f2aa0161ad5df966d3d1536aeb6c328570270dedf3a957184d4264a2add048236220fcf96d0074584cc9af3dcacfa63519e0df3d9b49ccae22e01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9

Filesize
248B

MD5
388065cacc80d9041aa4e0370cf61fb7

SHA1
7008a0a105c127473ed1a6f88a439ef6ebdf994b

SHA256
87b56f9995a9142b694fdc6946d6b020c01b21e710c21ad3b6f5dc0f053a1dee

SHA512
0547b4d272c08c0606949d004df3849e4e670a54cc781b5b9cab432dd53a91396dee8404793058f7be7d388e44a4a7a98d90d7f43efae0ba495c2d07e650c02e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
42f03a2bd832ec5368b5f8c88c4009a3

SHA1
ade50945885b51619fd39f8c87e79507a2692506

SHA256
736e534c8c8e9c52db6e5f3e7bc06c70777e36958f200b5921f82f184ce8f775

SHA512
5add4d22972fea45b2fa3b3b162dc981c8e1775be303b1523b6f4998bdd8f0769b5d58cd4044c58a21b48886462ff8d1a2d0eac1f44c07aa08b52adf82afccb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F

Filesize
480B

MD5
d3e8b29876e64bfd674e594c097fd181

SHA1
b091e5b42cd16c8861e984f8fdaa06bd35884c3d

SHA256
9c70210633b77ed1dc370439866200a484fb46bed78448138d7c7d5e3f55efb5

SHA512
68baf2c9745ab8bfc92625b09e4a7370f9a18b91346dabe2c625085ab7e194d68ba8db2fcf403b833014f1c628538fe5fcfb6a144c4c9aeeeb81a4c09d1b81c3

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
997KB

MD5
838b7026d2fc8658ad6aa4d09f222675

SHA1
4f8bff1d7a33cf72b653202cb5676a45d7d04b36

SHA256
ff9e1c96074354c5448826c8b235ac900f69d29698d112899850f69640a9372c

SHA512
542dfc5f3e2a0425366fb98271263571d683a859d3f465fadc9a28061bf7cd615071f37712419362e3d60d42a848ad7174bc6ea3b3518a80dc99b45ebdb3fd89

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
997KB

MD5
838b7026d2fc8658ad6aa4d09f222675

SHA1
4f8bff1d7a33cf72b653202cb5676a45d7d04b36

SHA256
ff9e1c96074354c5448826c8b235ac900f69d29698d112899850f69640a9372c

SHA512
542dfc5f3e2a0425366fb98271263571d683a859d3f465fadc9a28061bf7cd615071f37712419362e3d60d42a848ad7174bc6ea3b3518a80dc99b45ebdb3fd89

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
997KB

MD5
838b7026d2fc8658ad6aa4d09f222675

SHA1
4f8bff1d7a33cf72b653202cb5676a45d7d04b36

SHA256
ff9e1c96074354c5448826c8b235ac900f69d29698d112899850f69640a9372c

SHA512
542dfc5f3e2a0425366fb98271263571d683a859d3f465fadc9a28061bf7cd615071f37712419362e3d60d42a848ad7174bc6ea3b3518a80dc99b45ebdb3fd89

Download Submit
memory/1104-141-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1104-135-0x0000000000000000-mapping.dmp

Download
memory/2400-134-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2400-138-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4204-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4204-146-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4204-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4204-142-0x0000000000000000-mapping.dmp

Download
memory/4204-156-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4204-157-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download