Analysis
-
max time kernel
181s -
max time network
193s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 00:29
Behavioral task
behavioral1
Sample
85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe
Resource
win10v2004-20221111-en
General
-
Target
85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe
-
Size
1.0MB
-
MD5
516a264d8e43a5ddd5353693b300e4d5
-
SHA1
d45b6b317c1eb73872fd4c1ea73d714e4b2ee040
-
SHA256
85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042
-
SHA512
c05d08f51dc0454a682ea4ebdd56bd4e6b8f5d9763fb69c7dfc7058e416ede6d6ac86160027dccda5134b05ef3eed0fe3b9fc3096fdfb0238259fce806d7ed61
-
SSDEEP
1536:SNIkp2IdtEo1gbsSklrZWNXuQHPGrQ+wEaYNyZf/3Qcn6aNirob1e4p24JMdWqhM:9YvEo13SklFWNVerQ+KMspBMgX24iE
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 14 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
winlogon.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts winlogon.exe -
Executes dropped EXE 3 IoCs
Processes:
winlogon.exewinlogon.exewinlogon.exepid process 756 winlogon.exe 1640 winlogon.exe 736 winlogon.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csinject.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\espwatch.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmor.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swnetsup.exe winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANOST.EXE winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccsetmgr.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wradmin.exe winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOHTMED.EXE winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpmon.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcontrol.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monsysnt.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisum.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fih32.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hwpe.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgctrl.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleaner3.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exantivirus-cnet.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spf.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npscheck.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\popscan.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdetect.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccshtdwn.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdate.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\licmgr.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\azonealarm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defscangui.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tfak.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qserver.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symtray.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aplica32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf9x206.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deputy.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet98.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w32dsm89.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Process.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95ct.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweep.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscenu6.02d30.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wgfe95.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ostronet.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcscan.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\padmin.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pspf.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Filemon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONELEV.EXE winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccshtdwn.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winroute.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackice.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iomon98.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpdos32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootwarn.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dv95_o.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntrtscan.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avshadow.exe winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WXP.EXE winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alerter.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navstub.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processmonitor.exe winlogon.exe -
Processes:
resource yara_rule behavioral1/memory/1396-54-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/1396-55-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/1156-58-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1156-60-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1156-61-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1156-64-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1156-65-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1156-66-0x0000000000400000-0x000000000041C000-memory.dmp upx \Users\Admin\E696D64614\winlogon.exe upx \Users\Admin\E696D64614\winlogon.exe upx C:\Users\Admin\E696D64614\winlogon.exe upx behavioral1/memory/1156-74-0x0000000000400000-0x000000000041C000-memory.dmp upx C:\Users\Admin\E696D64614\winlogon.exe upx behavioral1/memory/756-75-0x0000000000400000-0x0000000000435000-memory.dmp upx C:\Users\Admin\E696D64614\winlogon.exe upx behavioral1/memory/756-85-0x0000000000400000-0x0000000000435000-memory.dmp upx behavioral1/memory/1640-92-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1640-93-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/736-94-0x0000000000400000-0x0000000000443000-memory.dmp upx C:\Users\Admin\E696D64614\winlogon.exe upx behavioral1/memory/736-98-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/736-99-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/736-103-0x0000000000400000-0x0000000000443000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
winlogon.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe winlogon.exe -
Loads dropped DLL 2 IoCs
Processes:
85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exepid process 1156 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe 1156 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus winlogon.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exewinlogon.exewinlogon.exedescription pid process target process PID 1396 set thread context of 1156 1396 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe PID 756 set thread context of 1640 756 winlogon.exe winlogon.exe PID 1640 set thread context of 736 1640 winlogon.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\Sound winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\Sound\Beep = "no" winlogon.exe -
Processes:
iexplore.exeIEXPLORE.EXEwinlogon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://7j7dlj703x77f3n.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://0ecz5k107lc385p.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://npxkwb70zl7q308.directorio-w.com" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://4gy65sn0r2w22qj.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://oz53g53svfun0i2.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://089k7144r8q377i.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://2za24u99id4871r.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Download winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{61E3CB61-6BB6-11ED-8589-FE63F52BA449} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://jbj76i81s8yavyv.directorio-w.com" winlogon.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://846cig21z8i7546.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://3dliyl608c2371f.directorio-w.com" winlogon.exe -
Modifies registry class 24 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec winlogon.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
winlogon.exepid process 736 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
winlogon.exedescription pid process Token: SeBackupPrivilege 736 winlogon.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1772 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exewinlogon.exewinlogon.exeiexplore.exeIEXPLORE.EXEpid process 1156 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe 1640 winlogon.exe 736 winlogon.exe 1772 iexplore.exe 1772 iexplore.exe 1480 IEXPLORE.EXE 1480 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exewinlogon.exewinlogon.exeiexplore.exedescription pid process target process PID 1396 wrote to memory of 616 1396 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe svchost.exe PID 1396 wrote to memory of 616 1396 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe svchost.exe PID 1396 wrote to memory of 616 1396 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe svchost.exe PID 1396 wrote to memory of 616 1396 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe svchost.exe PID 1396 wrote to memory of 1156 1396 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe PID 1396 wrote to memory of 1156 1396 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe PID 1396 wrote to memory of 1156 1396 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe PID 1396 wrote to memory of 1156 1396 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe PID 1396 wrote to memory of 1156 1396 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe PID 1396 wrote to memory of 1156 1396 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe PID 1396 wrote to memory of 1156 1396 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe PID 1396 wrote to memory of 1156 1396 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe PID 1156 wrote to memory of 756 1156 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe winlogon.exe PID 1156 wrote to memory of 756 1156 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe winlogon.exe PID 1156 wrote to memory of 756 1156 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe winlogon.exe PID 1156 wrote to memory of 756 1156 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe winlogon.exe PID 756 wrote to memory of 676 756 winlogon.exe svchost.exe PID 756 wrote to memory of 676 756 winlogon.exe svchost.exe PID 756 wrote to memory of 676 756 winlogon.exe svchost.exe PID 756 wrote to memory of 676 756 winlogon.exe svchost.exe PID 756 wrote to memory of 1640 756 winlogon.exe winlogon.exe PID 756 wrote to memory of 1640 756 winlogon.exe winlogon.exe PID 756 wrote to memory of 1640 756 winlogon.exe winlogon.exe PID 756 wrote to memory of 1640 756 winlogon.exe winlogon.exe PID 756 wrote to memory of 1640 756 winlogon.exe winlogon.exe PID 756 wrote to memory of 1640 756 winlogon.exe winlogon.exe PID 756 wrote to memory of 1640 756 winlogon.exe winlogon.exe PID 756 wrote to memory of 1640 756 winlogon.exe winlogon.exe PID 1640 wrote to memory of 736 1640 winlogon.exe winlogon.exe PID 1640 wrote to memory of 736 1640 winlogon.exe winlogon.exe PID 1640 wrote to memory of 736 1640 winlogon.exe winlogon.exe PID 1640 wrote to memory of 736 1640 winlogon.exe winlogon.exe PID 1640 wrote to memory of 736 1640 winlogon.exe winlogon.exe PID 1640 wrote to memory of 736 1640 winlogon.exe winlogon.exe PID 1640 wrote to memory of 736 1640 winlogon.exe winlogon.exe PID 1640 wrote to memory of 736 1640 winlogon.exe winlogon.exe PID 1640 wrote to memory of 736 1640 winlogon.exe winlogon.exe PID 1772 wrote to memory of 1480 1772 iexplore.exe IEXPLORE.EXE PID 1772 wrote to memory of 1480 1772 iexplore.exe IEXPLORE.EXE PID 1772 wrote to memory of 1480 1772 iexplore.exe IEXPLORE.EXE PID 1772 wrote to memory of 1480 1772 iexplore.exe IEXPLORE.EXE -
System policy modification 1 TTPs 6 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe"C:\Users\Admin\AppData\Local\Temp\85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe4⤵
-
C:\Users\Admin\E696D64614\winlogon.exe
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"5⤵
- Modifies firewall policy service
- Modifies security service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
1.0MB
MD5516a264d8e43a5ddd5353693b300e4d5
SHA1d45b6b317c1eb73872fd4c1ea73d714e4b2ee040
SHA25685ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042
SHA512c05d08f51dc0454a682ea4ebdd56bd4e6b8f5d9763fb69c7dfc7058e416ede6d6ac86160027dccda5134b05ef3eed0fe3b9fc3096fdfb0238259fce806d7ed61
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
1.0MB
MD5516a264d8e43a5ddd5353693b300e4d5
SHA1d45b6b317c1eb73872fd4c1ea73d714e4b2ee040
SHA25685ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042
SHA512c05d08f51dc0454a682ea4ebdd56bd4e6b8f5d9763fb69c7dfc7058e416ede6d6ac86160027dccda5134b05ef3eed0fe3b9fc3096fdfb0238259fce806d7ed61
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
1.0MB
MD5516a264d8e43a5ddd5353693b300e4d5
SHA1d45b6b317c1eb73872fd4c1ea73d714e4b2ee040
SHA25685ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042
SHA512c05d08f51dc0454a682ea4ebdd56bd4e6b8f5d9763fb69c7dfc7058e416ede6d6ac86160027dccda5134b05ef3eed0fe3b9fc3096fdfb0238259fce806d7ed61
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
1.0MB
MD5516a264d8e43a5ddd5353693b300e4d5
SHA1d45b6b317c1eb73872fd4c1ea73d714e4b2ee040
SHA25685ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042
SHA512c05d08f51dc0454a682ea4ebdd56bd4e6b8f5d9763fb69c7dfc7058e416ede6d6ac86160027dccda5134b05ef3eed0fe3b9fc3096fdfb0238259fce806d7ed61
-
\Users\Admin\E696D64614\winlogon.exeFilesize
1.0MB
MD5516a264d8e43a5ddd5353693b300e4d5
SHA1d45b6b317c1eb73872fd4c1ea73d714e4b2ee040
SHA25685ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042
SHA512c05d08f51dc0454a682ea4ebdd56bd4e6b8f5d9763fb69c7dfc7058e416ede6d6ac86160027dccda5134b05ef3eed0fe3b9fc3096fdfb0238259fce806d7ed61
-
\Users\Admin\E696D64614\winlogon.exeFilesize
1.0MB
MD5516a264d8e43a5ddd5353693b300e4d5
SHA1d45b6b317c1eb73872fd4c1ea73d714e4b2ee040
SHA25685ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042
SHA512c05d08f51dc0454a682ea4ebdd56bd4e6b8f5d9763fb69c7dfc7058e416ede6d6ac86160027dccda5134b05ef3eed0fe3b9fc3096fdfb0238259fce806d7ed61
-
memory/616-56-0x0000000000000000-mapping.dmp
-
memory/676-76-0x0000000000000000-mapping.dmp
-
memory/736-99-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/736-94-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/736-95-0x00000000004416E0-mapping.dmp
-
memory/736-98-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/736-103-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/756-72-0x0000000000000000-mapping.dmp
-
memory/756-75-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/756-85-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1156-65-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1156-58-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1156-74-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1156-66-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1156-64-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1156-69-0x0000000075BE1000-0x0000000075BE3000-memory.dmpFilesize
8KB
-
memory/1156-57-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1156-62-0x000000000041AAC0-mapping.dmp
-
memory/1156-61-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1156-60-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1396-54-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1396-55-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1640-83-0x000000000041AAC0-mapping.dmp
-
memory/1640-93-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1640-92-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB