61cb3786b5ee1578358b41b6f23e0f78a78a5954f8d761846e1c84ad521ca159

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

364b0867184a62e362272b89e4adec90_exe32.exe
Size

196KB
MD5

364b0867184a62e362272b89e4adec90
SHA1

b0025bcdd7ee5e3d44b6519419b409df8c954b2d
SHA256

61cb3786b5ee1578358b41b6f23e0f78a78a5954f8d761846e1c84ad521ca159
SHA512

c948d6230417e5604c4003cc29ee57991723d3692c97a708d6c21623dc561326ddfc6ef0622ae34510967454df2ee7d7959629805de7249e9ad6f69d18115a2e
SSDEEP

3072:ZOgUXoutNZFHxZVX4/awxfodLJUBv9Bsor1rHjhMU9npQQpmuG:ZFYoSNRARoYlld9n2Qpmx

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	364b0867184a62e362272b89e4adec90_exe32.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	364b0867184a62e362272b89e4adec90_exe32.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	364b0867184a62e362272b89e4adec90_exe32.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	364b0867184a62e362272b89e4adec90_exe32.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 14 IoCs

pid	Process
2008	xk.exe
4816	IExplorer.exe
4796	WINLOGON.EXE
1612	CSRSS.EXE
1504	xk.exe
3220	IExplorer.exe
1336	WINLOGON.EXE
1232	CSRSS.EXE
4872	SERVICES.EXE
1640	LSASS.EXE
704	SMSS.EXE
4052	SERVICES.EXE
3744	LSASS.EXE
2360	SMSS.EXE

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	364b0867184a62e362272b89e4adec90_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	364b0867184a62e362272b89e4adec90_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	364b0867184a62e362272b89e4adec90_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	364b0867184a62e362272b89e4adec90_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	364b0867184a62e362272b89e4adec90_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	364b0867184a62e362272b89e4adec90_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	364b0867184a62e362272b89e4adec90_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	364b0867184a62e362272b89e4adec90_exe32.exe

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2568-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00070000000231e1-8.dat	upx
behavioral2/files/0x00070000000231e5-106.dat	upx
behavioral2/files/0x00070000000231e5-107.dat	upx
behavioral2/files/0x00070000000231e9-111.dat	upx
behavioral2/files/0x00070000000231e9-112.dat	upx
behavioral2/memory/2008-113-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/4816-114-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/4816-117-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00070000000231eb-119.dat	upx
behavioral2/files/0x00070000000231eb-120.dat	upx
behavioral2/memory/4796-123-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00070000000231ec-125.dat	upx
behavioral2/files/0x00070000000231ec-126.dat	upx
behavioral2/memory/1612-129-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00070000000231e5-179.dat	upx
behavioral2/memory/1504-183-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00070000000231e9-184.dat	upx
behavioral2/memory/3220-187-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00070000000231eb-189.dat	upx
behavioral2/memory/1336-192-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00070000000231ec-194.dat	upx
behavioral2/memory/1232-197-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00070000000231ed-199.dat	upx
behavioral2/files/0x00070000000231ed-200.dat	upx
behavioral2/memory/4872-203-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00070000000231ee-206.dat	upx
behavioral2/memory/2568-208-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00070000000231ee-205.dat	upx
behavioral2/memory/1640-210-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00070000000231f0-212.dat	upx
behavioral2/files/0x00070000000231f0-213.dat	upx
behavioral2/memory/704-216-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/2568-242-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00070000000231ed-244.dat	upx
behavioral2/memory/4052-247-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00070000000231ee-248.dat	upx
behavioral2/memory/3744-251-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x00070000000231f0-281.dat	upx
behavioral2/memory/2360-285-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/2568-286-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	364b0867184a62e362272b89e4adec90_exe32.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	364b0867184a62e362272b89e4adec90_exe32.exe
File created	C:\desktop.ini	364b0867184a62e362272b89e4adec90_exe32.exe
File opened for modification	F:\desktop.ini	364b0867184a62e362272b89e4adec90_exe32.exe
File created	F:\desktop.ini	364b0867184a62e362272b89e4adec90_exe32.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\Y:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\J:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\L:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\N:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\O:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\R:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\W:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\V:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\B:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\E:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\G:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\I:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\Q:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\T:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\U:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\Z:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\K:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\M:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\P:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\S:	364b0867184a62e362272b89e4adec90_exe32.exe
File opened (read-only)	\??\X:	364b0867184a62e362272b89e4adec90_exe32.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IExplorer.exe	364b0867184a62e362272b89e4adec90_exe32.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	364b0867184a62e362272b89e4adec90_exe32.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	364b0867184a62e362272b89e4adec90_exe32.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	364b0867184a62e362272b89e4adec90_exe32.exe
File created	C:\Windows\SysWOW64\shell.exe	364b0867184a62e362272b89e4adec90_exe32.exe
File created	C:\Windows\SysWOW64\Mig2.scr	364b0867184a62e362272b89e4adec90_exe32.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	364b0867184a62e362272b89e4adec90_exe32.exe
File created	C:\Windows\xk.exe	364b0867184a62e362272b89e4adec90_exe32.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\Desktop\	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	364b0867184a62e362272b89e4adec90_exe32.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	364b0867184a62e362272b89e4adec90_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	364b0867184a62e362272b89e4adec90_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	364b0867184a62e362272b89e4adec90_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	364b0867184a62e362272b89e4adec90_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	364b0867184a62e362272b89e4adec90_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	364b0867184a62e362272b89e4adec90_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	364b0867184a62e362272b89e4adec90_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	364b0867184a62e362272b89e4adec90_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	364b0867184a62e362272b89e4adec90_exe32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2568	364b0867184a62e362272b89e4adec90_exe32.exe
2568	364b0867184a62e362272b89e4adec90_exe32.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2568	364b0867184a62e362272b89e4adec90_exe32.exe
2008	xk.exe
4816	IExplorer.exe
4796	WINLOGON.EXE
1612	CSRSS.EXE
1504	xk.exe
3220	IExplorer.exe
1336	WINLOGON.EXE
1232	CSRSS.EXE
4872	SERVICES.EXE
1640	LSASS.EXE
704	SMSS.EXE
4052	SERVICES.EXE
3744	LSASS.EXE
2360	SMSS.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2008	2568	364b0867184a62e362272b89e4adec90_exe32.exe	83
PID 2568 wrote to memory of 2008	2568	364b0867184a62e362272b89e4adec90_exe32.exe	83
PID 2568 wrote to memory of 2008	2568	364b0867184a62e362272b89e4adec90_exe32.exe	83
PID 2568 wrote to memory of 4816	2568	364b0867184a62e362272b89e4adec90_exe32.exe	84
PID 2568 wrote to memory of 4816	2568	364b0867184a62e362272b89e4adec90_exe32.exe	84
PID 2568 wrote to memory of 4816	2568	364b0867184a62e362272b89e4adec90_exe32.exe	84
PID 2568 wrote to memory of 4796	2568	364b0867184a62e362272b89e4adec90_exe32.exe	86
PID 2568 wrote to memory of 4796	2568	364b0867184a62e362272b89e4adec90_exe32.exe	86
PID 2568 wrote to memory of 4796	2568	364b0867184a62e362272b89e4adec90_exe32.exe	86
PID 2568 wrote to memory of 1612	2568	364b0867184a62e362272b89e4adec90_exe32.exe	87
PID 2568 wrote to memory of 1612	2568	364b0867184a62e362272b89e4adec90_exe32.exe	87
PID 2568 wrote to memory of 1612	2568	364b0867184a62e362272b89e4adec90_exe32.exe	87
PID 2568 wrote to memory of 1504	2568	364b0867184a62e362272b89e4adec90_exe32.exe	88
PID 2568 wrote to memory of 1504	2568	364b0867184a62e362272b89e4adec90_exe32.exe	88
PID 2568 wrote to memory of 1504	2568	364b0867184a62e362272b89e4adec90_exe32.exe	88
PID 2568 wrote to memory of 3220	2568	364b0867184a62e362272b89e4adec90_exe32.exe	89
PID 2568 wrote to memory of 3220	2568	364b0867184a62e362272b89e4adec90_exe32.exe	89
PID 2568 wrote to memory of 3220	2568	364b0867184a62e362272b89e4adec90_exe32.exe	89
PID 2568 wrote to memory of 1336	2568	364b0867184a62e362272b89e4adec90_exe32.exe	90
PID 2568 wrote to memory of 1336	2568	364b0867184a62e362272b89e4adec90_exe32.exe	90
PID 2568 wrote to memory of 1336	2568	364b0867184a62e362272b89e4adec90_exe32.exe	90
PID 2568 wrote to memory of 1232	2568	364b0867184a62e362272b89e4adec90_exe32.exe	91
PID 2568 wrote to memory of 1232	2568	364b0867184a62e362272b89e4adec90_exe32.exe	91
PID 2568 wrote to memory of 1232	2568	364b0867184a62e362272b89e4adec90_exe32.exe	91
PID 2568 wrote to memory of 4872	2568	364b0867184a62e362272b89e4adec90_exe32.exe	92
PID 2568 wrote to memory of 4872	2568	364b0867184a62e362272b89e4adec90_exe32.exe	92
PID 2568 wrote to memory of 4872	2568	364b0867184a62e362272b89e4adec90_exe32.exe	92
PID 2568 wrote to memory of 1640	2568	364b0867184a62e362272b89e4adec90_exe32.exe	93
PID 2568 wrote to memory of 1640	2568	364b0867184a62e362272b89e4adec90_exe32.exe	93
PID 2568 wrote to memory of 1640	2568	364b0867184a62e362272b89e4adec90_exe32.exe	93
PID 2568 wrote to memory of 704	2568	364b0867184a62e362272b89e4adec90_exe32.exe	94
PID 2568 wrote to memory of 704	2568	364b0867184a62e362272b89e4adec90_exe32.exe	94
PID 2568 wrote to memory of 704	2568	364b0867184a62e362272b89e4adec90_exe32.exe	94
PID 2568 wrote to memory of 4052	2568	364b0867184a62e362272b89e4adec90_exe32.exe	102
PID 2568 wrote to memory of 4052	2568	364b0867184a62e362272b89e4adec90_exe32.exe	102
PID 2568 wrote to memory of 4052	2568	364b0867184a62e362272b89e4adec90_exe32.exe	102
PID 2568 wrote to memory of 3744	2568	364b0867184a62e362272b89e4adec90_exe32.exe	103
PID 2568 wrote to memory of 3744	2568	364b0867184a62e362272b89e4adec90_exe32.exe	103
PID 2568 wrote to memory of 3744	2568	364b0867184a62e362272b89e4adec90_exe32.exe	103
PID 2568 wrote to memory of 2360	2568	364b0867184a62e362272b89e4adec90_exe32.exe	105
PID 2568 wrote to memory of 2360	2568	364b0867184a62e362272b89e4adec90_exe32.exe	105
PID 2568 wrote to memory of 2360	2568	364b0867184a62e362272b89e4adec90_exe32.exe	105

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	364b0867184a62e362272b89e4adec90_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	364b0867184a62e362272b89e4adec90_exe32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	364b0867184a62e362272b89e4adec90_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	364b0867184a62e362272b89e4adec90_exe32.exe

C:\Users\Admin\AppData\Local\Temp\364b0867184a62e362272b89e4adec90_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\364b0867184a62e362272b89e4adec90_exe32.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2568
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2008
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4816
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4796
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1612
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1504
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3220
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1336
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1232
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4872
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1640
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:704
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4052
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3744
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
196KB

MD5
84f0bf6ee839b64d0cae650279bc9f4b

SHA1
e019d50765dd3060ce28f45407e227b5f23e1e52

SHA256
a26d154219b8b8bd5f92770dae5bd9145401ecf1a83b4f2baf757c31ef986638

SHA512
7523d760d27a3b02c082d077a29d3db7bf9ca12b9d145311d9a42e85e2a6049e80b58048619f7049cd8e3576d4d22a227ef81051a3f20177f49fdfc9e53b6b52

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
196KB

MD5
428dc69943c91be5c607bba7eb122c5e

SHA1
6c371cb987384746559e073326e845113dc1c856

SHA256
c927d1f82592ddaf5c6be89625462a0870d3606e117abbe1f47387dd2a9ffb8f

SHA512
9e86d47765e12f2da3e07308cce153a136dae878b34646073dcb9bf5ccacadd06e7587e7795b01b7e618ae85f16ceb4853f08456b68995311cef87e9d07fe08b

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
196KB

MD5
ba3c7c4e842a24f8119598f4b6d8ab73

SHA1
72cb618177ac8eca98ef95d386a3f754587b2d71

SHA256
8f79d5dad21566e9f9f3e9f86148510dec50ddb55b4702f5c1e9802649da5843

SHA512
5b735e1cc0614aa96106d31091b3db2c3121303fdca0a9e799563f4386408e2d52deda5dade7b40317cc0c76a06573c3061e392b98b864760c8df4a5dde363ed

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
196KB

MD5
ba3c7c4e842a24f8119598f4b6d8ab73

SHA1
72cb618177ac8eca98ef95d386a3f754587b2d71

SHA256
8f79d5dad21566e9f9f3e9f86148510dec50ddb55b4702f5c1e9802649da5843

SHA512
5b735e1cc0614aa96106d31091b3db2c3121303fdca0a9e799563f4386408e2d52deda5dade7b40317cc0c76a06573c3061e392b98b864760c8df4a5dde363ed

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
196KB

MD5
5c9dc9e352a4851bcbff2bfcd9be74e2

SHA1
ddb181f03b000ecf6262bfa0d9f4c680d831d8bc

SHA256
b6bc99bc7ef5f586e1d87bdca0a4a4ce4232afa4dd792c7dd88ef4696a6bc58e

SHA512
02d49e818beade4bb34b278b3e68d3dae18b00187c2602f7e6625009cdb8120374b00bfd414d5164610fbe52806c090ad51d9b39c09a123aefb5abda119ca963

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
196KB

MD5
5c9dc9e352a4851bcbff2bfcd9be74e2

SHA1
ddb181f03b000ecf6262bfa0d9f4c680d831d8bc

SHA256
b6bc99bc7ef5f586e1d87bdca0a4a4ce4232afa4dd792c7dd88ef4696a6bc58e

SHA512
02d49e818beade4bb34b278b3e68d3dae18b00187c2602f7e6625009cdb8120374b00bfd414d5164610fbe52806c090ad51d9b39c09a123aefb5abda119ca963

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
196KB

MD5
097f7a241d94f10dcc46bb14a6aed02d

SHA1
b38827a0c34de0ee438588a4f8a526866aac9734

SHA256
e310babfc95823cb5a0dabe3eadb4e6135b018414afb33dad7fce6ef03c3e436

SHA512
4ff2b5fe28011bbf21643729fd8753a778041bd4bcad2753a54eff32d3e052efa01b5b0ba56cb6516c6e3ad536c013ad414cf0b66fdf4dd4e6f4b3b0fcedc13a

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
196KB

MD5
097f7a241d94f10dcc46bb14a6aed02d

SHA1
b38827a0c34de0ee438588a4f8a526866aac9734

SHA256
e310babfc95823cb5a0dabe3eadb4e6135b018414afb33dad7fce6ef03c3e436

SHA512
4ff2b5fe28011bbf21643729fd8753a778041bd4bcad2753a54eff32d3e052efa01b5b0ba56cb6516c6e3ad536c013ad414cf0b66fdf4dd4e6f4b3b0fcedc13a

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
196KB

MD5
4ae333ea6f719e058e64a72f6eb6b3bf

SHA1
e3b20c9246908f305c2190734754ee9ef364e005

SHA256
f5566025652900f271b3fb0941591ed82dbe3b24940fedb03c749e0c96f97450

SHA512
a4b3f30237ef5555cbf4f2d04cd7ae85481347aedcb92db19af7e54245457cde20e9d503578424c4777dcd4d4adfad5b4f274d1292a41167f9f8b92ca133845d

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
196KB

MD5
f685416794de5b2d9896c7c9f96af023

SHA1
526ad92956e3bb1c63ed9268d3212017b7ff4092

SHA256
6616c1bcc85c8c3b91fa97f256b1ce8d55af73c95e4bbf36751e49a60b13e424

SHA512
ad239ecd87eff7d2bc337d3601fda7926db43986798a493e1bb799f1216865a39b736d3af89839531940173c840b35190b4f52c093cf42de7e8c974dc576fc83

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
196KB

MD5
364b0867184a62e362272b89e4adec90

SHA1
b0025bcdd7ee5e3d44b6519419b409df8c954b2d

SHA256
61cb3786b5ee1578358b41b6f23e0f78a78a5954f8d761846e1c84ad521ca159

SHA512
c948d6230417e5604c4003cc29ee57991723d3692c97a708d6c21623dc561326ddfc6ef0622ae34510967454df2ee7d7959629805de7249e9ad6f69d18115a2e

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
196KB

MD5
84f0bf6ee839b64d0cae650279bc9f4b

SHA1
e019d50765dd3060ce28f45407e227b5f23e1e52

SHA256
a26d154219b8b8bd5f92770dae5bd9145401ecf1a83b4f2baf757c31ef986638

SHA512
7523d760d27a3b02c082d077a29d3db7bf9ca12b9d145311d9a42e85e2a6049e80b58048619f7049cd8e3576d4d22a227ef81051a3f20177f49fdfc9e53b6b52

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

Filesize
196KB

MD5
ba3c7c4e842a24f8119598f4b6d8ab73

SHA1
72cb618177ac8eca98ef95d386a3f754587b2d71

SHA256
8f79d5dad21566e9f9f3e9f86148510dec50ddb55b4702f5c1e9802649da5843

SHA512
5b735e1cc0614aa96106d31091b3db2c3121303fdca0a9e799563f4386408e2d52deda5dade7b40317cc0c76a06573c3061e392b98b864760c8df4a5dde363ed

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
196KB

MD5
5c9dc9e352a4851bcbff2bfcd9be74e2

SHA1
ddb181f03b000ecf6262bfa0d9f4c680d831d8bc

SHA256
b6bc99bc7ef5f586e1d87bdca0a4a4ce4232afa4dd792c7dd88ef4696a6bc58e

SHA512
02d49e818beade4bb34b278b3e68d3dae18b00187c2602f7e6625009cdb8120374b00bfd414d5164610fbe52806c090ad51d9b39c09a123aefb5abda119ca963

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

Filesize
196KB

MD5
097f7a241d94f10dcc46bb14a6aed02d

SHA1
b38827a0c34de0ee438588a4f8a526866aac9734

SHA256
e310babfc95823cb5a0dabe3eadb4e6135b018414afb33dad7fce6ef03c3e436

SHA512
4ff2b5fe28011bbf21643729fd8753a778041bd4bcad2753a54eff32d3e052efa01b5b0ba56cb6516c6e3ad536c013ad414cf0b66fdf4dd4e6f4b3b0fcedc13a

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

Filesize
196KB

MD5
4ae333ea6f719e058e64a72f6eb6b3bf

SHA1
e3b20c9246908f305c2190734754ee9ef364e005

SHA256
f5566025652900f271b3fb0941591ed82dbe3b24940fedb03c749e0c96f97450

SHA512
a4b3f30237ef5555cbf4f2d04cd7ae85481347aedcb92db19af7e54245457cde20e9d503578424c4777dcd4d4adfad5b4f274d1292a41167f9f8b92ca133845d

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
196KB

MD5
1796c41410da5002691ceb747ac01634

SHA1
f7207d671b198d0322380dd3edc9e7561f6d9f0e

SHA256
bd14358214c8c1cec0ad151290c986f7764bc811228ad4978fd453f0dc86baa3

SHA512
2d8976620f430d42fe8aa9b5b9300d01401db017d98b81d22af0b7f3cfcaf9c3f4289d8b1b1e28ff6602372227bfb011cf094510a61361204a8beeec00cb5b6c

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
196KB

MD5
1796c41410da5002691ceb747ac01634

SHA1
f7207d671b198d0322380dd3edc9e7561f6d9f0e

SHA256
bd14358214c8c1cec0ad151290c986f7764bc811228ad4978fd453f0dc86baa3

SHA512
2d8976620f430d42fe8aa9b5b9300d01401db017d98b81d22af0b7f3cfcaf9c3f4289d8b1b1e28ff6602372227bfb011cf094510a61361204a8beeec00cb5b6c

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
196KB

MD5
c9f0fe071154e8caca597ea37ceef75e

SHA1
1fc60b4ee977890ba05ac2a8384cba5335fded26

SHA256
bca31aa49c9b2fe9dbe30908fa74c41a50f0a2e51ba417cc71066f461c5a8005

SHA512
6f998a9707e3ad847167cbdc1087c0965df5059a7c98bea785a2997b2e58a6a22cc58009070fe334e78c0b78ff9e6a8881154fcb83b5e04922abff0f0a9c3bd9

Download Submit
C:\Windows\xk.exe

Filesize
196KB

MD5
bada687e0bcaece71cb7f3ec924d93c1

SHA1
2db1e0379b9d3ed20c063a7fcef63bc1998291e6

SHA256
64620a7189aa755afcf12980be2efa9ec9a1e7759fcb8c0475e217755f2436f6

SHA512
d9bb77a1d9d9e6bb2857a4838a06881291434efafda0230647929d682b5ecb3f12952bfe8998eabab98617978f95a62b5549b01c89ab4d42e086a7934e91dc2e

Download Submit
C:\Windows\xk.exe

Filesize
196KB

MD5
bada687e0bcaece71cb7f3ec924d93c1

SHA1
2db1e0379b9d3ed20c063a7fcef63bc1998291e6

SHA256
64620a7189aa755afcf12980be2efa9ec9a1e7759fcb8c0475e217755f2436f6

SHA512
d9bb77a1d9d9e6bb2857a4838a06881291434efafda0230647929d682b5ecb3f12952bfe8998eabab98617978f95a62b5549b01c89ab4d42e086a7934e91dc2e

Download Submit
C:\Windows\xk.exe

Filesize
196KB

MD5
802c051541d079e61ec2cd314e6458ac

SHA1
03abf02c7b3f4785f884f3b1efdd69b1d2a70cd1

SHA256
2c90fb1177ff38841ad99fe9bea9093e5adf16d7c5125cf03af8504b4b9d8cbf

SHA512
847ccdbf7bc777808d798f506fc57c8e3fa901ae589822957dae6be783e6da70034dfb5b2756f817f80bdf6a9ba47689d14a0c3c2f12a9e61c3718ecef648830

Download Submit
C:\XK\Folder.htt

Filesize
640B

MD5
5d142e7978321fde49abd9a068b64d97

SHA1
70020fcf7f3d6dafb6c8cd7a55395196a487bef4

SHA256
fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

SHA512
2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

Download Submit
C:\desktop.ini

Filesize
217B

MD5
c00d8433fe598abff197e690231531e0

SHA1
4f6b87a4327ff5343e9e87275d505b9f145a7e42

SHA256
52fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e

SHA512
a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1

Download Submit
memory/704-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1232-197-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1336-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1504-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1612-129-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1640-210-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-113-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2360-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-242-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3220-187-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3744-251-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4052-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4796-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4816-117-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4816-114-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-203-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download