54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
Size

37KB
MD5

77cab3ac2d44ca3cc2f905316cbaa8b0
SHA1

0512f5b7f32a556dcad3773418767a9a8512aa94
SHA256

54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02
SHA512

8eae50c303894e7a0220a7a1bed8b4eab25cddcc424e93e9e160cdc24952df77475ca3c22691df79cd3b326bea5f0be54fab7df8d92904c2e6d305821020ef87
SSDEEP

768:aHrZtjEF/e782hCY4g/iB0F79KIDN1dCvbYLYQV5nCsm:MrZtaewPBaF79KuUbYLK

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	Hole.zip
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe, \"C:\\Windows\\system32\\M5VBVM60.EXE StartUp\""	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe, \"C:\\Windows\\system32\\M5VBVM60.EXE StartUp\""	Zero.txt

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\rund1132.exe %1"	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\rund1132.exe %1"	Zero.txt

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Zero.txt

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Zero.txt

Executes dropped EXE 5 IoCs

pid	Process
3064	Empty.jpg
4932	Blank.doc
1668	Zero.txt
5028	Hole.zip
1044	Unoccupied.reg

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe

Loads dropped DLL 5 IoCs

pid	Process
3064	Empty.jpg
4932	Blank.doc
1668	Zero.txt
5028	Hole.zip
1044	Unoccupied.reg

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Blank AntiViri = "C:\\AUT0EXEC.BAT StartUp"	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Secure64 = "C:\\Windows\\system32\\dllcache\\Regedit32.com StartUp"	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Secure32 = "C:\\Windows\\system32\\dllcache\\Shell32.com StartUp"	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Blank AntiViri = "C:\\AUT0EXEC.BAT StartUp"	Zero.txt
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Secure64 = "C:\\Windows\\system32\\dllcache\\Regedit32.com StartUp"	Zero.txt
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Secure32 = "C:\\Windows\\system32\\dllcache\\Shell32.com StartUp"	Zero.txt

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Blank.doc
File opened (read-only)	\??\B:	Blank.doc
File opened (read-only)	\??\I:	Blank.doc
File opened (read-only)	\??\T:	Blank.doc
File opened (read-only)	\??\S:	Blank.doc
File opened (read-only)	\??\Z:	Blank.doc
File opened (read-only)	\??\H:	Blank.doc
File opened (read-only)	\??\K:	Blank.doc
File opened (read-only)	\??\M:	Blank.doc
File opened (read-only)	\??\P:	Blank.doc
File opened (read-only)	\??\Q:	Blank.doc
File opened (read-only)	\??\R:	Blank.doc
File opened (read-only)	\??\U:	Blank.doc
File opened (read-only)	\??\V:	Blank.doc
File opened (read-only)	\??\E:	Blank.doc
File opened (read-only)	\??\F:	Blank.doc
File opened (read-only)	\??\L:	Blank.doc
File opened (read-only)	\??\X:	Blank.doc
File opened (read-only)	\??\Y:	Blank.doc
File opened (read-only)	\??\O:	Blank.doc
File opened (read-only)	\??\G:	Blank.doc
File opened (read-only)	\??\J:	Blank.doc
File opened (read-only)	\??\N:	Blank.doc

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dllChache\Zero.txt	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File opened for modification	C:\Windows\SysWOW64\dllChache\Unoccupied.reg	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File opened for modification	C:\Windows\SysWOW64\rund1132.exe	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File created	C:\Windows\SysWOW64\dllcache\Regedit32.com	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File opened for modification	C:\Windows\SysWOW64\dllcache\Regedit32.com	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File created	C:\Windows\SysWOW64\dllchache.exe	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File created	C:\Windows\SysWOW64\dllcache\msvbvm60.dll	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File created	C:\Windows\SysWOW64\dllChache\Empty.jpg	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File opened for modification	C:\Windows\SysWOW64\dllChache\Hole.zip	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File created	C:\Windows\SysWOW64\rund1132.exe	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File created	C:\Windows\SysWOW64\dllChache\Hole.zip	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File opened for modification	C:\Windows\SysWOW64\dllcache\msvbvm60.dll	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File opened for modification	C:\Windows\SysWOW64\dllChache\Blank.doc	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File created	C:\Windows\SysWOW64\dllChache\Unoccupied.reg	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File opened for modification	C:\Windows\SysWOW64\dllcache\Shell32.com	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File opened for modification	C:\Windows\SysWOW64\M5VBVM60.EXE	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File created	C:\Windows\SysWOW64\dllChache\msvbvm60.dll	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File opened for modification	C:\Windows\SysWOW64\dllChache\msvbvm60.dll	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File created	C:\Windows\SysWOW64\dllChache\Zero.txt	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File created	C:\Windows\SysWOW64\dllcache\Shell32.com	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File created	C:\Windows\SysWOW64\M5VBVM60.EXE	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File opened for modification	C:\Windows\SysWOW64\dllchache	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File opened for modification	C:\Windows\SysWOW64\dllchache.exe	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File opened for modification	C:\Windows\SysWOW64\dllChache\Empty.jpg	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File created	C:\Windows\SysWOW64\dllChache\Blank.doc	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32.exe	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File opened for modification	C:\Windows\SysWOW64	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
File opened for modification	C:\Windows\system32.exe	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000000c55249f10004c6f63616c003c0009000400efbe0c551d9c8955239b2e0000009be10100000001000000000000000000000000000000c7c1b9004c006f00630061006c00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\rund1132.exe %1"	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Windows\\SysWow64\\rund1132.exe %1"	Zero.txt
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\rund1132.exe %1"	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000000c558da3100041646d696e003c0009000400efbe0c551d9c8955239b2e0000007de1010000000100000000000000000000000000000034a60a00410064006d0069006e00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = ca0031000000000089551d9b17003534413244327e310000b20009000400efbe89551d9b89551d9b2e000000692f02000000060000000000000000000000000000000c270f003500340061003200640032006200340030003100350062006400660039006500300064003300300030003500340032003100330036003800390033003300310032006100640035003000320035006500340032003700390062006600370062003700380037006300300061003300340063003000330033003800650030003200000018000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\SysWow64\\rund1132.exe %1"	Zero.txt
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000000c551d9c12004170704461746100400009000400efbe0c551d9c8955239b2e00000088e10100000001000000000000000000000000000000393ab1004100700070004400610074006100000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000000c551d9c1100557365727300640009000400efbe874f77488955239b2e000000c70500000000010000000000000000003a0000000000b6fcd40055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e003100000000008955229b100054656d7000003a0009000400efbe0c551d9c8955229b2e0000009ce1010000000100000000000000000000000000000069588600540065006d007000000014000000	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3080	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
3064	Empty.jpg
3064	Empty.jpg
3064	Empty.jpg
3064	Empty.jpg
4932	Blank.doc
4932	Blank.doc
4932	Blank.doc
4932	Blank.doc
1668	Zero.txt
1668	Zero.txt
1668	Zero.txt
1668	Zero.txt
5028	Hole.zip
5028	Hole.zip
5028	Hole.zip
5028	Hole.zip
1044	Unoccupied.reg
1044	Unoccupied.reg
1044	Unoccupied.reg
1044	Unoccupied.reg
3064	Empty.jpg
3064	Empty.jpg
3064	Empty.jpg
3064	Empty.jpg
3064	Empty.jpg
3064	Empty.jpg
3064	Empty.jpg
3064	Empty.jpg
3064	Empty.jpg
3064	Empty.jpg
3064	Empty.jpg
3064	Empty.jpg
3064	Empty.jpg
3064	Empty.jpg
3064	Empty.jpg
3064	Empty.jpg
4932	Blank.doc
4932	Blank.doc
4932	Blank.doc
4932	Blank.doc
1668	Zero.txt
1668	Zero.txt
1668	Zero.txt
1668	Zero.txt
5028	Hole.zip
5028	Hole.zip
5028	Hole.zip
5028	Hole.zip
1044	Unoccupied.reg
1044	Unoccupied.reg
1044	Unoccupied.reg
1044	Unoccupied.reg
3064	Empty.jpg
3064	Empty.jpg

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3080	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
3064	Empty.jpg
4932	Blank.doc
1668	Zero.txt
5028	Hole.zip
1044	Unoccupied.reg
3080	explorer.exe
3080	explorer.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 3064	4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe	81
PID 4764 wrote to memory of 3064	4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe	81
PID 4764 wrote to memory of 3064	4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe	81
PID 4764 wrote to memory of 4932	4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe	82
PID 4764 wrote to memory of 4932	4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe	82
PID 4764 wrote to memory of 4932	4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe	82
PID 4764 wrote to memory of 1668	4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe	83
PID 4764 wrote to memory of 1668	4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe	83
PID 4764 wrote to memory of 1668	4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe	83
PID 4764 wrote to memory of 5028	4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe	84
PID 4764 wrote to memory of 5028	4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe	84
PID 4764 wrote to memory of 5028	4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe	84
PID 4764 wrote to memory of 1044	4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe	85
PID 4764 wrote to memory of 1044	4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe	85
PID 4764 wrote to memory of 1044	4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe	85
PID 4764 wrote to memory of 4464	4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe	86
PID 4764 wrote to memory of 4464	4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe	86
PID 4764 wrote to memory of 4464	4764	54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe	86

C:\Users\Admin\AppData\Local\Temp\54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe
"C:\Users\Admin\AppData\Local\Temp\54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SysWOW64\dllChache\Empty.jpg
  C:\Windows\system32\dllChache\Empty.jpg ReStart
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3064
- C:\Windows\SysWOW64\dllChache\Blank.doc
  C:\Windows\system32\dllChache\Blank.doc ReStart
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4932
- C:\Windows\SysWOW64\dllChache\Zero.txt
  C:\Windows\system32\dllChache\Zero.txt ReStart
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1668
- C:\Windows\SysWOW64\dllChache\Hole.zip
  C:\Windows\system32\dllChache\Hole.zip ReStart
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5028
- C:\Windows\SysWOW64\dllChache\Unoccupied.reg
  C:\Windows\system32\dllChache\Unoccupied.reg ReStart
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1044
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Temp\54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02
  2⤵
  PID:4464

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dllChache\Blank.doc

Filesize
37KB

MD5
77cab3ac2d44ca3cc2f905316cbaa8b0

SHA1
0512f5b7f32a556dcad3773418767a9a8512aa94

SHA256
54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02

SHA512
8eae50c303894e7a0220a7a1bed8b4eab25cddcc424e93e9e160cdc24952df77475ca3c22691df79cd3b326bea5f0be54fab7df8d92904c2e6d305821020ef87

Download Submit
C:\Windows\SysWOW64\dllChache\Empty.jpg

Filesize
37KB

MD5
77cab3ac2d44ca3cc2f905316cbaa8b0

SHA1
0512f5b7f32a556dcad3773418767a9a8512aa94

SHA256
54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02

SHA512
8eae50c303894e7a0220a7a1bed8b4eab25cddcc424e93e9e160cdc24952df77475ca3c22691df79cd3b326bea5f0be54fab7df8d92904c2e6d305821020ef87

Download Submit
C:\Windows\SysWOW64\dllChache\Hole.zip

Filesize
37KB

MD5
77cab3ac2d44ca3cc2f905316cbaa8b0

SHA1
0512f5b7f32a556dcad3773418767a9a8512aa94

SHA256
54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02

SHA512
8eae50c303894e7a0220a7a1bed8b4eab25cddcc424e93e9e160cdc24952df77475ca3c22691df79cd3b326bea5f0be54fab7df8d92904c2e6d305821020ef87

Download Submit
C:\Windows\SysWOW64\dllChache\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\dllChache\Unoccupied.reg

Filesize
37KB

MD5
77cab3ac2d44ca3cc2f905316cbaa8b0

SHA1
0512f5b7f32a556dcad3773418767a9a8512aa94

SHA256
54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02

SHA512
8eae50c303894e7a0220a7a1bed8b4eab25cddcc424e93e9e160cdc24952df77475ca3c22691df79cd3b326bea5f0be54fab7df8d92904c2e6d305821020ef87

Download Submit
C:\Windows\SysWOW64\dllChache\Zero.txt

Filesize
37KB

MD5
77cab3ac2d44ca3cc2f905316cbaa8b0

SHA1
0512f5b7f32a556dcad3773418767a9a8512aa94

SHA256
54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02

SHA512
8eae50c303894e7a0220a7a1bed8b4eab25cddcc424e93e9e160cdc24952df77475ca3c22691df79cd3b326bea5f0be54fab7df8d92904c2e6d305821020ef87

Download Submit
C:\Windows\SysWOW64\dllchache\Blank.doc

Filesize
37KB

MD5
77cab3ac2d44ca3cc2f905316cbaa8b0

SHA1
0512f5b7f32a556dcad3773418767a9a8512aa94

SHA256
54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02

SHA512
8eae50c303894e7a0220a7a1bed8b4eab25cddcc424e93e9e160cdc24952df77475ca3c22691df79cd3b326bea5f0be54fab7df8d92904c2e6d305821020ef87

Download Submit
C:\Windows\SysWOW64\dllchache\Empty.jpg

Filesize
37KB

MD5
77cab3ac2d44ca3cc2f905316cbaa8b0

SHA1
0512f5b7f32a556dcad3773418767a9a8512aa94

SHA256
54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02

SHA512
8eae50c303894e7a0220a7a1bed8b4eab25cddcc424e93e9e160cdc24952df77475ca3c22691df79cd3b326bea5f0be54fab7df8d92904c2e6d305821020ef87

Download Submit
C:\Windows\SysWOW64\dllchache\Hole.zip

Filesize
37KB

MD5
77cab3ac2d44ca3cc2f905316cbaa8b0

SHA1
0512f5b7f32a556dcad3773418767a9a8512aa94

SHA256
54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02

SHA512
8eae50c303894e7a0220a7a1bed8b4eab25cddcc424e93e9e160cdc24952df77475ca3c22691df79cd3b326bea5f0be54fab7df8d92904c2e6d305821020ef87

Download Submit
C:\Windows\SysWOW64\dllchache\Unoccupied.reg

Filesize
37KB

MD5
77cab3ac2d44ca3cc2f905316cbaa8b0

SHA1
0512f5b7f32a556dcad3773418767a9a8512aa94

SHA256
54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02

SHA512
8eae50c303894e7a0220a7a1bed8b4eab25cddcc424e93e9e160cdc24952df77475ca3c22691df79cd3b326bea5f0be54fab7df8d92904c2e6d305821020ef87

Download Submit
C:\Windows\SysWOW64\dllchache\Zero.txt

Filesize
37KB

MD5
77cab3ac2d44ca3cc2f905316cbaa8b0

SHA1
0512f5b7f32a556dcad3773418767a9a8512aa94

SHA256
54a2d2b4015bdf9e0d300542136893312ad5025e4279bf7b787c0a34c0338e02

SHA512
8eae50c303894e7a0220a7a1bed8b4eab25cddcc424e93e9e160cdc24952df77475ca3c22691df79cd3b326bea5f0be54fab7df8d92904c2e6d305821020ef87

Download Submit
C:\Windows\SysWOW64\dllchache\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\dllchache\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\dllchache\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\dllchache\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\dllchache\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
memory/1044-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1044-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1668-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1668-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-154-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-174-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4932-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4932-155-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5028-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5028-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download