ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e

Analysis

max time kernel
153s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e.exe
Size

1.1MB
MD5

922f13354a57e00020a78680d844dc0a
SHA1

c2e6c1bdfec4593c6d30ac3cdc530be2fc6b35d6
SHA256

ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e
SHA512

b78f8f3bcb6202e0456efaeb379f3c39b637c74203a13278204aa20a3a9c57e77926d678bbc047af0eca3285b1397999cc7dd73739ef85d9841289b6f2a823a0
SSDEEP

1536:7I17SYMoQEeZ3tmnunbHq7eOHc3Hbuk93VMjBmGQSbcW+gZ372Fc0h:i4otehtmnuLqdHguq3pGz4W+g

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 18 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750"	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
4584	winlogon.exe
3504	winlogon.exe
3416	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsched32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bisp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spf.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tftpd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winppr32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navlu32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\earthagent.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuard.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSREC.EXE	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pptbc.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbcons.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defalert.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibmavsp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpromenu.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nupdate.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sofi.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sysdoc32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmsrvc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ewido.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINWORD.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navnt.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\undoboot.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscan40.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmiav.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2Fix.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UI0Detect.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jammer.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pview95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rulaunch.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcpevalsetup.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exantivirus-cnet.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-pf-213-en-win.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wimmun32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avshadow.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\findviru.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mdll.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavsched.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srwatch.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEDFix.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kis8.0.0.506latam.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taumon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530stbyb.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nupdate.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdclt.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxquar.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\connectionmonitor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pf2.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Opera_964_int_Setup.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fa-setup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\edi.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\efpeadm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsuppnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcdsetup.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fwinstall.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4964-133-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4964-135-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4964-136-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4964-141-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3504-151-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3416-153-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/3416-156-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/3416-157-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/3416-166-0x0000000000400000-0x000000000043D000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	winlogon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2184 set thread context of 4964	2184	ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e.exe	79
PID 4584 set thread context of 3504	4584	winlogon.exe	82
PID 3504 set thread context of 3416	3504	winlogon.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Sound\Beep = "no"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Sound	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "3804"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "3747"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Local Page = "http://1s179407tac74zz.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.hugedomains.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.youtube.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "3017"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "2960"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "57"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999506"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ba9fb587d32a4e4ba18d239a48739ea800000000020000000000106600000001000020000000ae59b1d90c94801880c93b95c37413f519cf5042147a9495ea02a31c85ec9b01000000000e8000000002000020000000da0bc4386492f72867d4082c37a990ed080e7d2690d5f32203c12c87274351a82000000037f92c70d2fa664b6e85c4fc55534f3744cd312c5e6c0ac2a6d7b498b847041740000000c83eefea66d14838b53289d817787f1a70d137ba6c353b1cc4da7d61c5d14dffa1facbe0bb68f65a73494316fb4459532e86cd6784758db91ad1327bd6c12ef3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1043"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "197"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hugedomains.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "32"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://qd9e11679b7axl2.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "6"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ba9fb587d32a4e4ba18d239a48739ea800000000020000000000106600000001000020000000a18e8307aafa1169818c24408bace270dc3e2be19d07ddbb1572a44123d71573000000000e8000000002000020000000a860252f59929eacbfd45622919ecb477e279643b791d1214622d20d92e035562000000026a37a0b1fa504399bf29973fa1829383399667908727dc2746ca668f575d15c40000000c243cc2fbce8ce267a6d81e74196f3c5d0f472fd1925b15f2cb85bc5532548ef4a8ba9df299e4b2b9852da240538ec90f94cd5da1cd62f6ad8f8974e18c1d369	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://480s02b65xiriwn.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hugedomains.com\Total = "32"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1143353700"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.hugedomains.com\ = "32"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00445542d203d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "3747"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\youtube.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "121"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "3099"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://x1z4563441g2951.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://6em3t897909o63p.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\hugedomains.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "2960"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "986"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "282"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1146012110"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "172"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "197"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "3042"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ba9fb587d32a4e4ba18d239a48739ea80000000002000000000010660000000100002000000045a5f65ef96ba7c0b48c1cea61ed2c6749a87ec62fbc6d56e73f285fededaeea000000000e8000000002000020000000cd899e51d67d4eca4b3a3368a2eec01f14765ecf6899b3534c5f9ef01989266b20000000dd892cf3273df02d790f8622192a201bc91272ad9c1b0f576fbfe44904165d0140000000053cd4c8f6d386963ee37c90a3de4ffb3a7afdbd0a0acecaa70ca5b14712d1dacb132799c587409901949da084306251997474bced4d9cf90579276fc8d0e9a5	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999506"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999506"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "121"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "3042"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://3473p3v489acer8.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://2aesi4k6g3umy7b.directorio-w.com"	winlogon.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2629973501-4017243118-3254762364-1000\{C345A786-51DB-4DE0-9123-9E395E09A95C}	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3416	winlogon.exe
3416	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	3416	winlogon.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4724	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4964	ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e.exe
3504	winlogon.exe
3416	winlogon.exe
4724	iexplore.exe
4724	iexplore.exe
984	IEXPLORE.EXE
984	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 4964	2184	ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e.exe	79
PID 2184 wrote to memory of 4964	2184	ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e.exe	79
PID 2184 wrote to memory of 4964	2184	ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e.exe	79
PID 2184 wrote to memory of 4964	2184	ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e.exe	79
PID 2184 wrote to memory of 4964	2184	ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e.exe	79
PID 2184 wrote to memory of 4964	2184	ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e.exe	79
PID 2184 wrote to memory of 4964	2184	ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e.exe	79
PID 2184 wrote to memory of 4964	2184	ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e.exe	79
PID 4964 wrote to memory of 4584	4964	ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e.exe	81
PID 4964 wrote to memory of 4584	4964	ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e.exe	81
PID 4964 wrote to memory of 4584	4964	ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e.exe	81
PID 4584 wrote to memory of 3504	4584	winlogon.exe	82
PID 4584 wrote to memory of 3504	4584	winlogon.exe	82
PID 4584 wrote to memory of 3504	4584	winlogon.exe	82
PID 4584 wrote to memory of 3504	4584	winlogon.exe	82
PID 4584 wrote to memory of 3504	4584	winlogon.exe	82
PID 4584 wrote to memory of 3504	4584	winlogon.exe	82
PID 4584 wrote to memory of 3504	4584	winlogon.exe	82
PID 4584 wrote to memory of 3504	4584	winlogon.exe	82
PID 3504 wrote to memory of 3416	3504	winlogon.exe	84
PID 3504 wrote to memory of 3416	3504	winlogon.exe	84
PID 3504 wrote to memory of 3416	3504	winlogon.exe	84
PID 3504 wrote to memory of 3416	3504	winlogon.exe	84
PID 3504 wrote to memory of 3416	3504	winlogon.exe	84
PID 3504 wrote to memory of 3416	3504	winlogon.exe	84
PID 3504 wrote to memory of 3416	3504	winlogon.exe	84
PID 3504 wrote to memory of 3416	3504	winlogon.exe	84
PID 4724 wrote to memory of 984	4724	iexplore.exe	88
PID 4724 wrote to memory of 984	4724	iexplore.exe	88
PID 4724 wrote to memory of 984	4724	iexplore.exe	88

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e.exe
"C:\Users\Admin\AppData\Local\Temp\ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e.exe
  "C:\Users\Admin\AppData\Local\Temp\ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3504
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Modifies firewall policy service
        Modifies security service
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Sets file execution options in registry
        Drops startup file
        Windows security modification
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3416

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1480

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:3816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4724 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
76e7d5bf61b2e80d159f88aa9798ce91

SHA1
32a46de50c9c02b068e39cf49b78c7e2d5ace20d

SHA256
280fd6ae3ad21323199759814c4dd82329eb8f9847ed1fa2be145e83b4c88bf3

SHA512
5efd8c64ac40ae006d2ce4509eb9e5f1448fb1156e914d303e8bc4dcfe1d94c57c7eae216b362877e7b644876656cc9e5c4cebfc905bab3f8b09cb1a051d69c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
dedb504b3469b24ec0df79c68f5772e2

SHA1
177a8b1045b456316ca32d90aba942bf34774c64

SHA256
e18111fd56db31f02eb16990f0bbc7991a0c80571703281ee66010e229c9f8b0

SHA512
101312fa01991caeaef010d0d21e740244cb3768490a1b82ae12e7524e50b6e7f2e23c08978ac4c373e9013baa0a8f50de8e1994341556b78ecd88ce13df5680

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
916c512d221c683beeea9d5cb311b0b0

SHA1
bf0db4b1c4566275b629efb095b6ff8857b5748e

SHA256
64a36c1637d0a111152002a2c0385b0df9dd81b616b3f2073fbbe3f2975aa4d8

SHA512
af32cffea722438e9b17b08062dc2e209edc5417418964ead0b392bd502e1a647a8456b2ee2ea59faf69f93d0c6ea6f15949b6c30924db7da65b91cb18e8dc6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C67047FE238D580B731A13BEA5F7481F

Filesize
472B

MD5
cfbcb12817712d4f8f816c208590444a

SHA1
9999caeedbb1a95ae4236a5b962c233633df6799

SHA256
b5a41ab77d5ff4ba1a17ff074eb91bc18824d56dfc4b6c3320e900bbd6f3a90a

SHA512
a70eb8c366dfa0226cd62dbffbf51bd2da25571a6ff6b1f2e44dd8d9193a72f79ab7d90367378edf808ff3152ca45bf2a6ba3d64882d0f6d4aa437b6881d13f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
0b35a712c06f222eaca06ce66428baf2

SHA1
52e947775bdec3020ce7a6fa7a88cfabc73ff964

SHA256
dfb60a722c4419c209f24cb131503faf2d4a52cdb787cae7bc66586c8636227c

SHA512
e1baadcd40193af629167def8e5636aedd92530e592bda9e8f08bc5ec1a52200e9b76508f886c69c8358dbdffc94492ff8e078fdebe0a05391af6770c94f3d4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
9e6b90d88cd3ddab117c9be3ec20e6a7

SHA1
6dc359013e3081ed59d2a88e801788fd63d2076e

SHA256
d366d161f480286f442af1da33dae193fd161f42efeb374f57312d0f4ee3d933

SHA512
0de68f680c87661885748952702f28e99528fcbcca675bff1cc767a7dd74eddd84adc4cc5a7fe6b90c4618e71a6c446c007a8eb08ef67bbd41a86fe9539e2c62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
d052ade0f44436c171c662e56477e298

SHA1
c5f9e03bf0a9e479cdfcb84fc6004ce9d87bbd04

SHA256
7eb64a9c3742a1728beb083b3b63f17e66b2ab6c3903bbd32d116c6799023027

SHA512
08fabacfeb2b75690d0ad26d3f9bf27af186474369b3782318e4c0ed90d53208e6d822cb8c906ae7186d22a754a79254aad031d4ab858473ff4281570c970309

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F

Filesize
480B

MD5
c80aaea5168973b466f308a6f3a09abd

SHA1
559fa48abe0be81554e7c39ad7014435b670be91

SHA256
856ec27979e9b60fa5b426ebc8a45994e10469bb93ad9c9a7ddf89353f334664

SHA512
c9b5388433154452f7385063822d355491d73c84246b594ec4357084d552323c1c0d34cbbae246c3ed5ebd0e937995a60b55ebb58ef1c78d3ac7b5497227106c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C67047FE238D580B731A13BEA5F7481F

Filesize
480B

MD5
cc8a77e5a3be546de25a6bb04b2d03ff

SHA1
cf05872f9f322fd380afac1393ea7a74eae099c3

SHA256
7f1d7c00ef8ebe323c00d3b0768b1b784dad6070834c467d265e4c242b97e549

SHA512
7eee8a0bf2fe2ab23701b1f646ce5f2a748aaea4042eda2fcbc0fc320c7eb3388ed40ac75f76426a79279636acb88d0e50bd2a32d5172ff1f70782bb6f5e6e2b

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.1MB

MD5
922f13354a57e00020a78680d844dc0a

SHA1
c2e6c1bdfec4593c6d30ac3cdc530be2fc6b35d6

SHA256
ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e

SHA512
b78f8f3bcb6202e0456efaeb379f3c39b637c74203a13278204aa20a3a9c57e77926d678bbc047af0eca3285b1397999cc7dd73739ef85d9841289b6f2a823a0

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.1MB

MD5
922f13354a57e00020a78680d844dc0a

SHA1
c2e6c1bdfec4593c6d30ac3cdc530be2fc6b35d6

SHA256
ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e

SHA512
b78f8f3bcb6202e0456efaeb379f3c39b637c74203a13278204aa20a3a9c57e77926d678bbc047af0eca3285b1397999cc7dd73739ef85d9841289b6f2a823a0

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.1MB

MD5
922f13354a57e00020a78680d844dc0a

SHA1
c2e6c1bdfec4593c6d30ac3cdc530be2fc6b35d6

SHA256
ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e

SHA512
b78f8f3bcb6202e0456efaeb379f3c39b637c74203a13278204aa20a3a9c57e77926d678bbc047af0eca3285b1397999cc7dd73739ef85d9841289b6f2a823a0

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.1MB

MD5
922f13354a57e00020a78680d844dc0a

SHA1
c2e6c1bdfec4593c6d30ac3cdc530be2fc6b35d6

SHA256
ca3ab4cf7f60dfa72f65be3539147856ec74efca1bffe786b35159072124cf2e

SHA512
b78f8f3bcb6202e0456efaeb379f3c39b637c74203a13278204aa20a3a9c57e77926d678bbc047af0eca3285b1397999cc7dd73739ef85d9841289b6f2a823a0

Download Submit
memory/3416-156-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3416-157-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3416-153-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3416-166-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3504-151-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4964-141-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4964-136-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4964-135-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4964-133-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download