6dcf54625fee659e41e75ac47bbeeadf172b3447fcc9be02f7db87c1f654cc22

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9a80d24836f6176ed8ea905836958050.exe
Size

222KB
MD5

9a80d24836f6176ed8ea905836958050
SHA1

4a8b2388076edf92bb66cb65a6ab5f28a77a0710
SHA256

6dcf54625fee659e41e75ac47bbeeadf172b3447fcc9be02f7db87c1f654cc22
SHA512

cda3bf2aee167308148426d283b8eeec0fe1f7426bb338da96a6cae0addd073753cc38328d89cd3968079d4c320d92bc8205a2522c445b0762f7970d8b52269e
SSDEEP

3072:X/5F/E7tEf0h+p+tYlpJH7iXQNgggHlxDZiYLK5WplwS4or4wS4M:XhF4cE+wWJH7igNgjdFKs6or4qM

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	NEAS.9a80d24836f6176ed8ea905836958050.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.9a80d24836f6176ed8ea905836958050.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.9a80d24836f6176ed8ea905836958050.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.9a80d24836f6176ed8ea905836958050.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 14 IoCs

pid	Process
1820	xk.exe
1672	IExplorer.exe
1952	xk.exe
4740	IExplorer.exe
4780	WINLOGON.EXE
1436	CSRSS.EXE
5076	SERVICES.EXE
3424	LSASS.EXE
4852	SMSS.EXE
2184	WINLOGON.EXE
1052	CSRSS.EXE
528	SERVICES.EXE
3768	LSASS.EXE
1436	SMSS.EXE

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9a80d24836f6176ed8ea905836958050.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	NEAS.9a80d24836f6176ed8ea905836958050.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	NEAS.9a80d24836f6176ed8ea905836958050.exe
File created	C:\desktop.ini	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened for modification	F:\desktop.ini	NEAS.9a80d24836f6176ed8ea905836958050.exe
File created	F:\desktop.ini	NEAS.9a80d24836f6176ed8ea905836958050.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\X:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\Y:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\O:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\P:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\U:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\T:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\E:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\H:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\J:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\S:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\V:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\Z:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\I:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\L:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\N:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\M:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\Q:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\R:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\B:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\G:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\K:	NEAS.9a80d24836f6176ed8ea905836958050.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	NEAS.9a80d24836f6176ed8ea905836958050.exe
File created	C:\Windows\SysWOW64\shell.exe	NEAS.9a80d24836f6176ed8ea905836958050.exe
File created	C:\Windows\SysWOW64\Mig2.scr	NEAS.9a80d24836f6176ed8ea905836958050.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	NEAS.9a80d24836f6176ed8ea905836958050.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	NEAS.9a80d24836f6176ed8ea905836958050.exe
File created	C:\Windows\xk.exe	NEAS.9a80d24836f6176ed8ea905836958050.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\Desktop\	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	NEAS.9a80d24836f6176ed8ea905836958050.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.9a80d24836f6176ed8ea905836958050.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1044	NEAS.9a80d24836f6176ed8ea905836958050.exe
1044	NEAS.9a80d24836f6176ed8ea905836958050.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1044	NEAS.9a80d24836f6176ed8ea905836958050.exe
1820	xk.exe
1672	IExplorer.exe
1952	xk.exe
4740	IExplorer.exe
4780	WINLOGON.EXE
1436	CSRSS.EXE
5076	SERVICES.EXE
3424	LSASS.EXE
4852	SMSS.EXE
2184	WINLOGON.EXE
1052	CSRSS.EXE
528	SERVICES.EXE
3768	LSASS.EXE
1436	SMSS.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1820	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	86
PID 1044 wrote to memory of 1820	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	86
PID 1044 wrote to memory of 1820	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	86
PID 1044 wrote to memory of 1672	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	87
PID 1044 wrote to memory of 1672	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	87
PID 1044 wrote to memory of 1672	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	87
PID 1044 wrote to memory of 1952	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	88
PID 1044 wrote to memory of 1952	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	88
PID 1044 wrote to memory of 1952	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	88
PID 1044 wrote to memory of 4740	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	89
PID 1044 wrote to memory of 4740	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	89
PID 1044 wrote to memory of 4740	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	89
PID 1044 wrote to memory of 4780	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	90
PID 1044 wrote to memory of 4780	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	90
PID 1044 wrote to memory of 4780	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	90
PID 1044 wrote to memory of 1436	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	91
PID 1044 wrote to memory of 1436	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	91
PID 1044 wrote to memory of 1436	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	91
PID 1044 wrote to memory of 5076	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	92
PID 1044 wrote to memory of 5076	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	92
PID 1044 wrote to memory of 5076	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	92
PID 1044 wrote to memory of 3424	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	93
PID 1044 wrote to memory of 3424	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	93
PID 1044 wrote to memory of 3424	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	93
PID 1044 wrote to memory of 4852	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	94
PID 1044 wrote to memory of 4852	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	94
PID 1044 wrote to memory of 4852	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	94
PID 1044 wrote to memory of 2184	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	104
PID 1044 wrote to memory of 2184	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	104
PID 1044 wrote to memory of 2184	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	104
PID 1044 wrote to memory of 1052	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	105
PID 1044 wrote to memory of 1052	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	105
PID 1044 wrote to memory of 1052	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	105
PID 1044 wrote to memory of 528	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	108
PID 1044 wrote to memory of 528	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	108
PID 1044 wrote to memory of 528	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	108
PID 1044 wrote to memory of 3768	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	109
PID 1044 wrote to memory of 3768	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	109
PID 1044 wrote to memory of 3768	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	109
PID 1044 wrote to memory of 1436	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	110
PID 1044 wrote to memory of 1436	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	110
PID 1044 wrote to memory of 1436	1044	NEAS.9a80d24836f6176ed8ea905836958050.exe	110

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.9a80d24836f6176ed8ea905836958050.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.9a80d24836f6176ed8ea905836958050.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9a80d24836f6176ed8ea905836958050.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1044
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1820
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1672
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1952
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4740
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4780
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1436
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5076
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3424
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4852
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2184
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1052
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:528
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3768
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
222KB

MD5
60d692aee4bb130e42c34fd601541ef7

SHA1
4960061adce9f4996ddd772245daa474ddca8357

SHA256
aaca8a06a8bc938a3f9b57a91287015c2fff31b6fcad5b44c59189a070c46cf0

SHA512
ddde27ac965a3332f092060010d886d8c9d91f8d8fb4452192d9b02ab0efa253f40e289c8ad6aab028fc769493b948585886a8f90b210f44e45f90de782a1890

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
222KB

MD5
60d692aee4bb130e42c34fd601541ef7

SHA1
4960061adce9f4996ddd772245daa474ddca8357

SHA256
aaca8a06a8bc938a3f9b57a91287015c2fff31b6fcad5b44c59189a070c46cf0

SHA512
ddde27ac965a3332f092060010d886d8c9d91f8d8fb4452192d9b02ab0efa253f40e289c8ad6aab028fc769493b948585886a8f90b210f44e45f90de782a1890

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
222KB

MD5
5201b511c2609c3ed704e9871e8c6e76

SHA1
7fe531c1be9e16ca3c9ba729e99418412e127469

SHA256
2f9dc13a936f42ae2eb3d2da1bb5b660a812574a4c9fc6248f9c860ed978a0b6

SHA512
d71daf8c3ec055c91df85e817c3d90f672c532d367b3072257a5d902d137655c1a0516704b2a74bda380011ee7dfb67cb2e64c61b8c556380bcbaf74150f84b7

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
222KB

MD5
5201b511c2609c3ed704e9871e8c6e76

SHA1
7fe531c1be9e16ca3c9ba729e99418412e127469

SHA256
2f9dc13a936f42ae2eb3d2da1bb5b660a812574a4c9fc6248f9c860ed978a0b6

SHA512
d71daf8c3ec055c91df85e817c3d90f672c532d367b3072257a5d902d137655c1a0516704b2a74bda380011ee7dfb67cb2e64c61b8c556380bcbaf74150f84b7

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
222KB

MD5
72f71b6e20cc8dc75f80519196c97a27

SHA1
852a3e991b4a4f20db4098a7e51a2065efec702b

SHA256
450cbb08683e9b88d85b4ead4eca086c8d439e27378c63f21757e7bf574a97e4

SHA512
bb589d6158de5b536eba37d8256c9a426de3219cc8abc8dd335117b9552058b865342f7f7c2e7b53c695db74c3dd47aa5373600accdcb769563c72cf6fe3c285

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
222KB

MD5
72f71b6e20cc8dc75f80519196c97a27

SHA1
852a3e991b4a4f20db4098a7e51a2065efec702b

SHA256
450cbb08683e9b88d85b4ead4eca086c8d439e27378c63f21757e7bf574a97e4

SHA512
bb589d6158de5b536eba37d8256c9a426de3219cc8abc8dd335117b9552058b865342f7f7c2e7b53c695db74c3dd47aa5373600accdcb769563c72cf6fe3c285

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
222KB

MD5
7b041bdd8ae2aa9cbbd899dae2d2624d

SHA1
192f87fc09f9696e73d22a544a49dcfda4defc4b

SHA256
978efa7955183d6ce7b0820dd7d2d34fd72721de4e82494525f1396136d586bf

SHA512
3094a1d2033da76efbb2bdac5d2ece26ae751fb220ba37c04f71bac20bf0e0e47a132e0523e552cf8b67aab20008779232241fae2c7ded0c253e8270f5e239f4

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
222KB

MD5
7b041bdd8ae2aa9cbbd899dae2d2624d

SHA1
192f87fc09f9696e73d22a544a49dcfda4defc4b

SHA256
978efa7955183d6ce7b0820dd7d2d34fd72721de4e82494525f1396136d586bf

SHA512
3094a1d2033da76efbb2bdac5d2ece26ae751fb220ba37c04f71bac20bf0e0e47a132e0523e552cf8b67aab20008779232241fae2c7ded0c253e8270f5e239f4

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
222KB

MD5
45c8fd93008d50294cf9c453de7a872a

SHA1
1e6919fad0e65bd9c3765d60bbffc277f5377ae7

SHA256
99ee4be46b03d2e58370c17929db9939b62202d13cc940de45aa32944f5aeb75

SHA512
223687c216ce4427985705b5b3fd928c12215c2aa938d15a5732f588fd88b34f886af6cbe5a8d8d4a33cc776fe1ba3c3a4fb51d896bedc3a603d8f24be905cdb

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
222KB

MD5
45c8fd93008d50294cf9c453de7a872a

SHA1
1e6919fad0e65bd9c3765d60bbffc277f5377ae7

SHA256
99ee4be46b03d2e58370c17929db9939b62202d13cc940de45aa32944f5aeb75

SHA512
223687c216ce4427985705b5b3fd928c12215c2aa938d15a5732f588fd88b34f886af6cbe5a8d8d4a33cc776fe1ba3c3a4fb51d896bedc3a603d8f24be905cdb

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
222KB

MD5
9a80d24836f6176ed8ea905836958050

SHA1
4a8b2388076edf92bb66cb65a6ab5f28a77a0710

SHA256
6dcf54625fee659e41e75ac47bbeeadf172b3447fcc9be02f7db87c1f654cc22

SHA512
cda3bf2aee167308148426d283b8eeec0fe1f7426bb338da96a6cae0addd073753cc38328d89cd3968079d4c320d92bc8205a2522c445b0762f7970d8b52269e

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
222KB

MD5
60d692aee4bb130e42c34fd601541ef7

SHA1
4960061adce9f4996ddd772245daa474ddca8357

SHA256
aaca8a06a8bc938a3f9b57a91287015c2fff31b6fcad5b44c59189a070c46cf0

SHA512
ddde27ac965a3332f092060010d886d8c9d91f8d8fb4452192d9b02ab0efa253f40e289c8ad6aab028fc769493b948585886a8f90b210f44e45f90de782a1890

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

Filesize
222KB

MD5
5201b511c2609c3ed704e9871e8c6e76

SHA1
7fe531c1be9e16ca3c9ba729e99418412e127469

SHA256
2f9dc13a936f42ae2eb3d2da1bb5b660a812574a4c9fc6248f9c860ed978a0b6

SHA512
d71daf8c3ec055c91df85e817c3d90f672c532d367b3072257a5d902d137655c1a0516704b2a74bda380011ee7dfb67cb2e64c61b8c556380bcbaf74150f84b7

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
222KB

MD5
72f71b6e20cc8dc75f80519196c97a27

SHA1
852a3e991b4a4f20db4098a7e51a2065efec702b

SHA256
450cbb08683e9b88d85b4ead4eca086c8d439e27378c63f21757e7bf574a97e4

SHA512
bb589d6158de5b536eba37d8256c9a426de3219cc8abc8dd335117b9552058b865342f7f7c2e7b53c695db74c3dd47aa5373600accdcb769563c72cf6fe3c285

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

Filesize
222KB

MD5
7b041bdd8ae2aa9cbbd899dae2d2624d

SHA1
192f87fc09f9696e73d22a544a49dcfda4defc4b

SHA256
978efa7955183d6ce7b0820dd7d2d34fd72721de4e82494525f1396136d586bf

SHA512
3094a1d2033da76efbb2bdac5d2ece26ae751fb220ba37c04f71bac20bf0e0e47a132e0523e552cf8b67aab20008779232241fae2c7ded0c253e8270f5e239f4

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

Filesize
222KB

MD5
45c8fd93008d50294cf9c453de7a872a

SHA1
1e6919fad0e65bd9c3765d60bbffc277f5377ae7

SHA256
99ee4be46b03d2e58370c17929db9939b62202d13cc940de45aa32944f5aeb75

SHA512
223687c216ce4427985705b5b3fd928c12215c2aa938d15a5732f588fd88b34f886af6cbe5a8d8d4a33cc776fe1ba3c3a4fb51d896bedc3a603d8f24be905cdb

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
222KB

MD5
d1ca769fff262a25395e203c21ce3d1d

SHA1
e16282897a55e9e0322dc3c63ef50680826e8d4b

SHA256
98bd8c47f90c2e000343013cc9b8199d6d864e1dfc4a0daf0a3fb088b41b755f

SHA512
1a64c59fc39862717850d5debbec86dc558eec67f9fbfc7213248e01d230a99eee277dc8f6501e31c1eeaa89cdf3c8e3f1525fff756089ec045c0be0922b3670

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
222KB

MD5
d1ca769fff262a25395e203c21ce3d1d

SHA1
e16282897a55e9e0322dc3c63ef50680826e8d4b

SHA256
98bd8c47f90c2e000343013cc9b8199d6d864e1dfc4a0daf0a3fb088b41b755f

SHA512
1a64c59fc39862717850d5debbec86dc558eec67f9fbfc7213248e01d230a99eee277dc8f6501e31c1eeaa89cdf3c8e3f1525fff756089ec045c0be0922b3670

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
222KB

MD5
4917b707b24682d1f1000c623ff26827

SHA1
85077eb4d1cf5f4cbb69cc3f83290e1cac10697c

SHA256
39ec21179e9e433948a89eb98322adb6af76387e6723126a723b028b035b6d16

SHA512
2faf4d301e7e149ee9e39e89802213685a716efa83d61ede8da58332e872d447c5bd32056e89d7dd8217e787cc505776cd2a7933e35b76aaee62b5996ced15c2

Download Submit
C:\Windows\xk.exe

Filesize
222KB

MD5
aba359f8ff3141424771163a8353b4ee

SHA1
68d82966a0da38015e4f5f4369aec3e9387e82c0

SHA256
399b2a47babe4704bc06b96f2e852dfdaae0e96425b1d3cdedd8b805e2291e14

SHA512
12e82a6522e47809751a0c1a96e23193471d933413862f53647bb7d025c8b249cc29e281fb8b1c61e9ba2683ebcc41d642a1886bce5610fbc0020b0fb477393f

Download Submit
C:\Windows\xk.exe

Filesize
222KB

MD5
aba359f8ff3141424771163a8353b4ee

SHA1
68d82966a0da38015e4f5f4369aec3e9387e82c0

SHA256
399b2a47babe4704bc06b96f2e852dfdaae0e96425b1d3cdedd8b805e2291e14

SHA512
12e82a6522e47809751a0c1a96e23193471d933413862f53647bb7d025c8b249cc29e281fb8b1c61e9ba2683ebcc41d642a1886bce5610fbc0020b0fb477393f

Download Submit
C:\Windows\xk.exe

Filesize
222KB

MD5
cd89b3b8bd796731b1f2e84e3f7aa7b0

SHA1
4847daae462de5053e673b09e18bcda6879557d2

SHA256
28910f8637e0062a027a70e884c5cc35ae0d56364f90c64cfd3cc166a2c6e74e

SHA512
9f6034f0d4c92500b33e954cc9af4576b4a6b963e6580ac47039776d9b6bf6a70d7ea7e88874f323ddf2c635713fd35043d06bf1770b40cdc144a7f9bb488857

Download Submit
C:\XK\Folder.htt

Filesize
640B

MD5
5d142e7978321fde49abd9a068b64d97

SHA1
70020fcf7f3d6dafb6c8cd7a55395196a487bef4

SHA256
fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

SHA512
2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

Download Submit
C:\desktop.ini

Filesize
217B

MD5
c00d8433fe598abff197e690231531e0

SHA1
4f6b87a4327ff5343e9e87275d505b9f145a7e42

SHA256
52fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e

SHA512
a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1

Download Submit
memory/528-281-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1044-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1044-318-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1052-249-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1436-194-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1436-317-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1436-190-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1672-114-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1672-118-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1820-112-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1820-107-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-177-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1952-171-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2184-245-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3424-208-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3424-204-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3768-313-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4740-180-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4740-176-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4780-187-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4780-183-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4852-215-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4852-212-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5076-201-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5076-197-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download