Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
184s -
max time network
192s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03/12/2022, 12:55
Static task
static1
Behavioral task
behavioral1
Sample
cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe
Resource
win10v2004-20220812-en
General
-
Target
cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe
-
Size
714KB
-
MD5
e0912b352fc80c40bdf45903c00cd0a4
-
SHA1
82e04df444b21c11e7378cfe6516d2b9e9f9c94d
-
SHA256
cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8
-
SHA512
6afbe05778e22b86544a8b628854ebb2507cc276f2a361ba155a390fab3d4e43f7dd14a74b0606610d0336a41cef4d2d7ba66c31fbd23d8559146fc32c3b56f6
-
SSDEEP
3072:iyf8n+BnNpiXN5U+M/hQuaCA3VMxDJAQO7LN:i/+BnNpCqP/hQuavirOH
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246" winlogon.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts winlogon.exe -
Executes dropped EXE 3 IoCs
pid Process 720 winlogon.exe 1820 winlogon.exe 952 winlogon.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_findviru.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\generics.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpf.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvsvc32.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccntmon.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcsetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONELEV.EXE winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsave32.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmor.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\periscope.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winhlpp32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winsfcm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupd32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwnb181.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drvins32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecls.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mwatch.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navlu32.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pop3trap.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rshell.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellspyinstall.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HostsChk.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drvins32.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perswf.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sysdoc32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hidec.exe winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSFEEDSSYNC.EXE winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navnt.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nupdate.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HostsChk.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explored.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hacktracersetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SbieCtrl.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WXP.EXE winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ants.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmon.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nc2000.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netspyhunter-1.2.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavcl.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgui.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95cf.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot95.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsetup.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naveng.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpf.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfw2en.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\panixk.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pf2.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpsvs32.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avrescue.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe -
resource yara_rule behavioral1/memory/620-56-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/620-58-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/620-59-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/620-62-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/620-63-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/620-71-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1820-87-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/952-88-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/952-92-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/952-93-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/952-97-0x0000000000400000-0x0000000000443000-memory.dmp upx -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe winlogon.exe -
Loads dropped DLL 2 IoCs
pid Process 620 cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe 620 cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall winlogon.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 944 set thread context of 620 944 cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe 29 PID 720 set thread context of 1820 720 winlogon.exe 32 PID 1820 set thread context of 952 1820 winlogon.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Sound winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Sound\Beep = "no" winlogon.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://e5835r87003wkuz.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af000000000200000000001066000000010000200000009551b86fef57acb6d47dd0cddf599c8a8fc5179536dd4f5ab37b9b20f7192638000000000e80000000020000200000004ed83f251d1044657c9f2c1f8beddb8440cb71163e248f7e99c36698ba3e2db8200000004ee792a2b46b4064817c0cf9600b72b0cc898b71c95bdd0b551d7271b6973d0240000000a8f735d68cb05fb75f475e8ddb13a634861dd79a4edaf1052be640e0ee0f3a369078783bd9053a07d35919ce2026a7a2647c657d202d85cf6d0ac8e5f1f0bddd iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://iil92oqlf021dm8.directorio-w.com" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" winlogon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://k1g8ri1795p4gad.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://bpeq46bh07fw441.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://o6qtli08ttfk34d.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af0000000002000000000010660000000100002000000047fa795b3a3be444240fbe4e1b79655f950926bf1bdb29edb3355cfa537a1d7b000000000e8000000002000020000000954a5a397f39b95e8e50b52015b174d72a9117163cfdfe03b958423b5f34f95190000000fea379fb4ea5a76a92b4bfa6ff47ed8359dcd8da6d95546c5af83d78239f62d2816d30f47b82b6e1234e70f909664bf1eb000ebd09264b17ac823888349ed2e2584a573c00f99903874ad3474127e2aea8c4d310edd94387212af65872e6077a1a686dc3beb419824bc2f4b9e071fd98fa6ac74e5e5fd44600c06fca4a8ebc2597b6e12a20c0770ffdad8dac8e8a99214000000044595099e3f8933f4731433dfe55303ee33216d8d031f3fea90b0f5aa0f5f5a60bfafe834258cc7ef0e284f34f9abc446d1156132d41d23ff86192db6260b8e3 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Download winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://71q20j6602741qt.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://burh145f7yht4uc.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://q75s3259j77k6q3.directorio-w.com" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E536F981-7578-11ED-90CA-EA20C184BE27} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 807087c88509d901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377104746" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://f7yicut5z445q38.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://1847uef416n3v7x.directorio-w.com" winlogon.exe -
Modifies registry class 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https winlogon.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 952 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeBackupPrivilege 952 winlogon.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 948 iexplore.exe 948 iexplore.exe 948 iexplore.exe 948 iexplore.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 620 cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe 1820 winlogon.exe 952 winlogon.exe 948 iexplore.exe 948 iexplore.exe 1444 IEXPLORE.EXE 1444 IEXPLORE.EXE 948 iexplore.exe 948 iexplore.exe 860 IEXPLORE.EXE 860 IEXPLORE.EXE 948 iexplore.exe 948 iexplore.exe 1968 IEXPLORE.EXE 1968 IEXPLORE.EXE 948 iexplore.exe 948 iexplore.exe 2232 IEXPLORE.EXE 2232 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 944 wrote to memory of 524 944 cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe 28 PID 944 wrote to memory of 524 944 cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe 28 PID 944 wrote to memory of 524 944 cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe 28 PID 944 wrote to memory of 524 944 cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe 28 PID 944 wrote to memory of 620 944 cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe 29 PID 944 wrote to memory of 620 944 cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe 29 PID 944 wrote to memory of 620 944 cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe 29 PID 944 wrote to memory of 620 944 cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe 29 PID 944 wrote to memory of 620 944 cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe 29 PID 944 wrote to memory of 620 944 cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe 29 PID 944 wrote to memory of 620 944 cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe 29 PID 944 wrote to memory of 620 944 cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe 29 PID 620 wrote to memory of 720 620 cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe 30 PID 620 wrote to memory of 720 620 cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe 30 PID 620 wrote to memory of 720 620 cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe 30 PID 620 wrote to memory of 720 620 cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe 30 PID 720 wrote to memory of 856 720 winlogon.exe 31 PID 720 wrote to memory of 856 720 winlogon.exe 31 PID 720 wrote to memory of 856 720 winlogon.exe 31 PID 720 wrote to memory of 856 720 winlogon.exe 31 PID 720 wrote to memory of 1820 720 winlogon.exe 32 PID 720 wrote to memory of 1820 720 winlogon.exe 32 PID 720 wrote to memory of 1820 720 winlogon.exe 32 PID 720 wrote to memory of 1820 720 winlogon.exe 32 PID 720 wrote to memory of 1820 720 winlogon.exe 32 PID 720 wrote to memory of 1820 720 winlogon.exe 32 PID 720 wrote to memory of 1820 720 winlogon.exe 32 PID 720 wrote to memory of 1820 720 winlogon.exe 32 PID 1820 wrote to memory of 952 1820 winlogon.exe 35 PID 1820 wrote to memory of 952 1820 winlogon.exe 35 PID 1820 wrote to memory of 952 1820 winlogon.exe 35 PID 1820 wrote to memory of 952 1820 winlogon.exe 35 PID 1820 wrote to memory of 952 1820 winlogon.exe 35 PID 1820 wrote to memory of 952 1820 winlogon.exe 35 PID 1820 wrote to memory of 952 1820 winlogon.exe 35 PID 1820 wrote to memory of 952 1820 winlogon.exe 35 PID 1820 wrote to memory of 952 1820 winlogon.exe 35 PID 948 wrote to memory of 1444 948 iexplore.exe 39 PID 948 wrote to memory of 1444 948 iexplore.exe 39 PID 948 wrote to memory of 1444 948 iexplore.exe 39 PID 948 wrote to memory of 1444 948 iexplore.exe 39 PID 948 wrote to memory of 860 948 iexplore.exe 41 PID 948 wrote to memory of 860 948 iexplore.exe 41 PID 948 wrote to memory of 860 948 iexplore.exe 41 PID 948 wrote to memory of 860 948 iexplore.exe 41 PID 948 wrote to memory of 1968 948 iexplore.exe 42 PID 948 wrote to memory of 1968 948 iexplore.exe 42 PID 948 wrote to memory of 1968 948 iexplore.exe 42 PID 948 wrote to memory of 1968 948 iexplore.exe 42 PID 948 wrote to memory of 2232 948 iexplore.exe 43 PID 948 wrote to memory of 2232 948 iexplore.exe 43 PID 948 wrote to memory of 2232 948 iexplore.exe 43 PID 948 wrote to memory of 2232 948 iexplore.exe 43 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe"C:\Users\Admin\AppData\Local\Temp\cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe2⤵PID:524
-
-
C:\Users\Admin\AppData\Local\Temp\cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe4⤵PID:856
-
-
C:\Users\Admin\E696D64614\winlogon.exe
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"5⤵
- Modifies firewall policy service
- Modifies security service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:952
-
-
-
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1152
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1444
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:668686 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:860
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:930830 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1968
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:537626 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2232
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD58f0cea8e3d9160e901740f3bf325183e
SHA1819fa0a35a71e111f290fec2ee3bcd4d5da0f634
SHA2560638f0beb6b70f24360ae8191fa398c22dbac6d635be99a0226443f84f8b7b77
SHA512e4394d276a8215b57dacb848bf8aa6a61111353c820204da68162f18d4e598d015836674a9fffc1d1858b38c22720c3a168e3b384d5ee81f838e47d089cd3aa3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4
Filesize472B
MD55006b8e985c5838b7fd2f2b558a65bc4
SHA1183ff15e0faedf346305fd6fe1c70c9c7a1eef4a
SHA256fcbfec9f5fd0e10d44778c1df64d8612281cd39881cdfd0aa8ca30d13655655a
SHA51256526aaf34500a94404e83461b3580513be1f07b288485c7059fc1ec86b77cda50da613b7def2fe6a8e2d04bb3d522fdffb5f7e9293eab06e86cd2d6af24a1a7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562
Filesize1KB
MD5624ec7959768fb34e94feee318b8dd0a
SHA1417469bb00f00b7f7e9ef4bdfa4df7c1894df5cd
SHA25653afc3fbd47ad4ebad0f488de3b2fcbadb9f293bdcd49abc3d6d59665c0fa06d
SHA512de05ad95dd664e36d2277c973d904248d8741a13b41e33bb2a1174bbf7d16e91eb961a4ea51c722b16459cd902dfe619db103ea8815e2790462dde5359223b3d
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26
Filesize1KB
MD5750b6d5503f71d788477b92f46154b6a
SHA1f06d67221f6014c471c1d6255a20f8d456141467
SHA256aa86374e793614e4f866a2034dfb5c5a59f21a5b50e4d57517b2e36c552d106e
SHA512a2d5b3f060971ef911edc9b40ea8f8c0ead2a0bc7cbb41e2a298a2d7dc7c478b72b46c721331db321b1dc111368476898d5080ffa9d574738dd93eee4047f746
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize724B
MD5f569e1d183b84e8078dc456192127536
SHA130c537463eed902925300dd07a87d820a713753f
SHA256287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413
SHA51249553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5db4d65cf5748459ffd0f2ea045b5daa2
SHA16854d0ffc712b6ae3aa663d1b582a2a990932226
SHA256917f1e360554f9b1ffbf670d8e9e053ec8e9225f39463608ebdde7a2880ea84c
SHA51215bea2331b03aff50fe62fe13fcf989d00325244b501c92a2b8cb8422ed73bf8004a3ac6c9be9c9b6cba21c8c8edf17c8730c5b4d3700969692b351b34819a62
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4
Filesize402B
MD5aa4ca89c11103f8499cdb5f7bc0e84ac
SHA12dee0fe52c988c1b1f651fe1492a617c3696a4fb
SHA25660bf90427e02bcbb590e4817a5a3ddee4cc663e3ebb5f5756377d4bf4ca66edd
SHA512cb6ac22cb824cf245e2717572ce518a2d662bd5cbc6b4f60194efb7a5790228cc32a6dc59714c21e5654565a37b76997d84848411ea720d679ab9f9a42c59d41
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562
Filesize466B
MD57ae058986f1ead70ed682924d35590cf
SHA1c4490d1015fd307fd5bece3f354e4db7ce03af20
SHA256a83c485276b1f992bfa7273360a3d00daaf0c4dca0b6aa9d7ecd38054f18f893
SHA512b31376c6f8b870ed3226029498d1311befb2f662ce839e1163269dbdd22d6ffb047fd1ef21fbb83f5bddd6986c6f3589f12e3d78d8bebdfb8f576bdff932c0dd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5187acf68a79f5007e31b6fd349b191ba
SHA192965153dc1410ebb4bc4cbe63ec2b857df4bfc0
SHA256755e94d699ebbc31e8c833b38c22623eacf73c987249770b8404ac8f39832b21
SHA5129aca5bb12bc606e682b670fd88e4a7393f4e823dd4cc8f6abcfffb82647cd2f1037c710aff3cd2fe190d43eb8fa0245dc61ac33078f1f72e84f373ce47e2b055
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57beed772769f4b2301de30bab25c437f
SHA110cbe320a519c2c865b6a552841af00a48dd3d50
SHA2566f97b0b8196cf93001b2c79bf4d9e9672ced20fd3cea2ecf867318a45340ae23
SHA512becbb2094e560e781983a3bcef61164c83221e43c862899f6dbe1c765145c1c2728794944298f3890bf671d2ffbfa59f9cfafb36eaa69c5924a91575a8a8e0ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f4d7b8ac5b6748a8b9c8e7c067d85d9b
SHA16c70ec24f77034b77dfc536f7a44274d127b5cb0
SHA2564fc2ce9ff018ea6c2f1c9b3b878a3f824f42866b24ee0afad2cabe5cf126fb13
SHA5124ffd1c3599bdc7a5e32a09642f15e81fa4497ddee3628e4dfb2bd5063d3cec088f8542f5ce0b59245c7571e5da6c8e8cc998b6f79ad9ede85764e1d93a3c4a01
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56f48dfbcb2f65fb68982866a780c6b55
SHA1cd0d30182911155bcd117201af25834e1a0a8313
SHA25640fe6da2c312b54429dd48453759de1bb957cc3270032030ab3b33e2cc5b49e9
SHA512cdffc8418129c9c632f55d63fdf98583721111230cca5418565b14420a4eb80784979befa4a60b0068182092ae10b22af4f0c6e49fcea6f681114dcf080917c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD575f5506471899f1130f2351b82e739c1
SHA1e6d2b9d6e40cdb2cad6aa2363af686bdfe528973
SHA256fc77f53f7f0d38171743db6d1c4f798fdb641fa0606684dea11dbd48a8b29303
SHA51252ae65eb90fcfaf5b887af99178a8189bbcb3938fa04729a3d5eb389791fa6880097ceff44bd190d8db25b147359430fa6198f742073f3b9cfa7c858eb6bcb39
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e8dfb3a6ba3e461bf574a35a5a0648f5
SHA1a153b96fd87c1a9c2b2bc911150a3d998c5d66f1
SHA256f3a6eb65fa66ba4d6c1d2582493d324a7b333542092a3f431bfb58adbadbc280
SHA5122a2727a6c91c2f40b1958b52f01b3a07269dd4269a6c37f9f03873eb51854f82a025150551a19390767ada8f3576ea53ea0c5583245247deaa5b4e78887eed93
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5824f9e1846b6e316b3a1d7a0a895331b
SHA1a6fcb9f153b26a912a966a01278a16e47c8e690e
SHA256da5487376420408dd5be700bc947d5d40ddddc6a48276dbf733f4e337a1db4f0
SHA51262283468e73e6cad3e049a8f839fda1af89f91afed710791927971a060d96662f24d0e6dbabee03f8812cd4cc8c988ddff1205eb8c7b950472fb0255772e3581
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD578c6fc450988e76b31fcbe24348e8e4c
SHA1ad3f24fa2fc9f446ee287dcbee23b85826999924
SHA256de13336e44e771dc4bd6022181b9072862f64b9c9a08beebeec8a2fb1b64d2bf
SHA51263ae2459b7e2beff427d314b5c24a13fadebab209406c28ae78413c8135ec64aa437f458209c4901bd722580eec72a502b6e06f33ec9b9ef3ce9c125ffb4cf05
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e26bdc7a4cafdff342fb7aefd342813f
SHA17380083ab9e073da86031c33d6b4038ebd9ac52b
SHA25650751bbd189bf7445236feba19cdfeed2c53612637ed904c352f8d4192b8c161
SHA5120cff8a02fe692785d10a1581e4cbd4cc2ba984460c5b9362522f6fd889e858fb7ced1ec5a6f0be6124d9bd797bf1dd6cc82d55d1ef0790d53d548de78703bc01
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26
Filesize470B
MD5fdb45a64d1d69693f189807ac1ef2101
SHA1cacfc4e458d511efa5280779cc0f21d60927854e
SHA2569033a3f1c81d00b73c06a019db633128e05327ebd5d6713f137d951aa937a50d
SHA512297e0b76433c2563f2ac8efa4c0c4eb1b1ec30d4141e6e9c52425028968ca11e1eef081bc17be99b5e6a1e7f6e3499420d6af0eb5038c8f28ce9f61edb3cf4ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize392B
MD5eb917eacaa9b1e1ca9be36ec451cdf47
SHA1de7ae60b0d617aca82d59ffbd2c1420a4e6439cf
SHA25618bf89780f04ec2ee30792327053236acd9b328366302347ef0daea87ef8b82b
SHA5126f4041b2f98f70704cc1878ba548ba9c52fa3fffbebf86a0f80dab207f89c9cfa000c887b3c4f83f661bef4b299b9e8f141d9514634982b7e2bb18b5252c6ecd
-
Filesize
13B
MD5c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA135e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA5126be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed
-
Filesize
600B
MD5b782497cc5eb3a00883dc1219a33f788
SHA108adfa11ac224c958906768a944191ddde6253b0
SHA2560b864b32fab11837f27e63a1eda5b217f7fbe893fe9b9d8cbb08f88647f903c5
SHA512ee3cc8ae4db8074f5d452ef8999d6af0fe5df462e8d4aa062eba4d3ed7c111a22935a05a45f6fe762288b6b1970a3fa4ec8c18e1eed65b4d604b7a0f4301cfc1
-
Filesize
714KB
MD5e0912b352fc80c40bdf45903c00cd0a4
SHA182e04df444b21c11e7378cfe6516d2b9e9f9c94d
SHA256cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8
SHA5126afbe05778e22b86544a8b628854ebb2507cc276f2a361ba155a390fab3d4e43f7dd14a74b0606610d0336a41cef4d2d7ba66c31fbd23d8559146fc32c3b56f6
-
Filesize
714KB
MD5e0912b352fc80c40bdf45903c00cd0a4
SHA182e04df444b21c11e7378cfe6516d2b9e9f9c94d
SHA256cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8
SHA5126afbe05778e22b86544a8b628854ebb2507cc276f2a361ba155a390fab3d4e43f7dd14a74b0606610d0336a41cef4d2d7ba66c31fbd23d8559146fc32c3b56f6
-
Filesize
714KB
MD5e0912b352fc80c40bdf45903c00cd0a4
SHA182e04df444b21c11e7378cfe6516d2b9e9f9c94d
SHA256cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8
SHA5126afbe05778e22b86544a8b628854ebb2507cc276f2a361ba155a390fab3d4e43f7dd14a74b0606610d0336a41cef4d2d7ba66c31fbd23d8559146fc32c3b56f6
-
Filesize
714KB
MD5e0912b352fc80c40bdf45903c00cd0a4
SHA182e04df444b21c11e7378cfe6516d2b9e9f9c94d
SHA256cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8
SHA5126afbe05778e22b86544a8b628854ebb2507cc276f2a361ba155a390fab3d4e43f7dd14a74b0606610d0336a41cef4d2d7ba66c31fbd23d8559146fc32c3b56f6
-
Filesize
714KB
MD5e0912b352fc80c40bdf45903c00cd0a4
SHA182e04df444b21c11e7378cfe6516d2b9e9f9c94d
SHA256cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8
SHA5126afbe05778e22b86544a8b628854ebb2507cc276f2a361ba155a390fab3d4e43f7dd14a74b0606610d0336a41cef4d2d7ba66c31fbd23d8559146fc32c3b56f6
-
Filesize
714KB
MD5e0912b352fc80c40bdf45903c00cd0a4
SHA182e04df444b21c11e7378cfe6516d2b9e9f9c94d
SHA256cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8
SHA5126afbe05778e22b86544a8b628854ebb2507cc276f2a361ba155a390fab3d4e43f7dd14a74b0606610d0336a41cef4d2d7ba66c31fbd23d8559146fc32c3b56f6