3cc1eddd0b66457667d1be49f2fd15be3030207cbef31c3f58a77e271b7f57fc

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

434281e89d42d43651ca7ef483f75432.exe
Size

176KB
MD5

434281e89d42d43651ca7ef483f75432
SHA1

4c0dc22d0b52b1b71c76d519f1fcfb1abcdcf17e
SHA256

3cc1eddd0b66457667d1be49f2fd15be3030207cbef31c3f58a77e271b7f57fc
SHA512

90a0e0aa5216aaff28426f5dc664b399c5246f34faa9c01491fdf3b015bf649da443b2ba7b4b5a8caba7d1391d43c22546e8b6914d85bfa6a7a26708d2c9254d
SSDEEP

3072:waI2zPkZk+3hpicdqwXFU+bOWYs38HQxcn54EJyVrzK1Edk5aS48wQ:vIGEnprZkRs38t54c6rzNdfS

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	Shell.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	434281e89d42d43651ca7ef483f75432.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WlNLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Shell.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	434281e89d42d43651ca7ef483f75432.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WlNLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SMSS.EXE

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	434281e89d42d43651ca7ef483f75432.exe

Executes dropped EXE 5 IoCs

pid	Process
2472	WlNLOGON.EXE
2964	Shell.exe
2800	CSRSS.EXE
1916	SERVICES.EXE
1996	SMSS.EXE

Loads dropped DLL 8 IoCs

pid	Process
776	434281e89d42d43651ca7ef483f75432.exe
776	434281e89d42d43651ca7ef483f75432.exe
776	434281e89d42d43651ca7ef483f75432.exe
776	434281e89d42d43651ca7ef483f75432.exe
776	434281e89d42d43651ca7ef483f75432.exe
776	434281e89d42d43651ca7ef483f75432.exe
776	434281e89d42d43651ca7ef483f75432.exe
776	434281e89d42d43651ca7ef483f75432.exe

Modifies system executable filetype association 2 TTPs 62 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	434281e89d42d43651ca7ef483f75432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	434281e89d42d43651ca7ef483f75432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	434281e89d42d43651ca7ef483f75432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	434281e89d42d43651ca7ef483f75432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	434281e89d42d43651ca7ef483f75432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	434281e89d42d43651ca7ef483f75432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/776-0-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/files/0x0009000000015c94-12.dat	upx
behavioral1/files/0x0007000000015cc4-92.dat	upx
behavioral1/files/0x0007000000015cf2-106.dat	upx
behavioral1/memory/2964-108-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/776-100-0x0000000003700000-0x00000000037AA000-memory.dmp	upx
behavioral1/files/0x0006000000015d0f-116.dat	upx
behavioral1/memory/2800-119-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/files/0x0006000000015d23-122.dat	upx
behavioral1/memory/1916-128-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/files/0x0006000000015d2b-132.dat	upx
behavioral1/memory/2472-147-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/2800-170-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/1996-172-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/1916-171-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/2964-160-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/776-152-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/files/0x0009000000015c94-146.dat	upx
behavioral1/files/0x0006000000015d2b-144.dat	upx
behavioral1/files/0x0006000000015d2b-130.dat	upx
behavioral1/files/0x0006000000015d23-126.dat	upx
behavioral1/memory/2472-98-0x0000000000400000-0x00000000004AA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WlNLOGON.EXE

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Desktop.ini	434281e89d42d43651ca7ef483f75432.exe
File created	C:\Windows\Desktop.ini	434281e89d42d43651ca7ef483f75432.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	434281e89d42d43651ca7ef483f75432.exe
File opened for modification	C:\Windows\SysWOW64\Telematika.scr	434281e89d42d43651ca7ef483f75432.exe
File opened for modification	C:\Windows\SysWOW64\OEMLOGO.BMP	SMSS.EXE
File created	C:\Windows\SysWOW64\OEMINFO.ini	434281e89d42d43651ca7ef483f75432.exe
File created	C:\Windows\SysWOW64\shell.exe	434281e89d42d43651ca7ef483f75432.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	SMSS.EXE
File created	C:\Windows\SysWOW64\OEMLOGO.BMP	434281e89d42d43651ca7ef483f75432.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	434281e89d42d43651ca7ef483f75432.exe
File created	C:\Windows\SysWOW64\Telematika.scr	434281e89d42d43651ca7ef483f75432.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WlNLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\OEMINFO.ini	SMSS.EXE

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Desktop.ini	434281e89d42d43651ca7ef483f75432.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	CSRSS.EXE
File opened for modification	C:\Windows\msvbvm60.dll	SMSS.EXE
File created	C:\Windows\WlNLOGON.EXE	434281e89d42d43651ca7ef483f75432.exe
File opened for modification	C:\Windows\	434281e89d42d43651ca7ef483f75432.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	SMSS.EXE
File created	C:\Windows\msvbvm60.dll	434281e89d42d43651ca7ef483f75432.exe
File opened for modification	C:\Windows\msvbvm60.dll	WlNLOGON.EXE
File opened for modification	C:\Windows\msvbvm60.dll	SERVICES.EXE
File opened for modification	C:\Windows\120.0.0.1.htm	434281e89d42d43651ca7ef483f75432.exe
File opened for modification	C:\Windows\msvbvm60.dll	CSRSS.EXE
File created	C:\Windows\120.0.0.1.htm	434281e89d42d43651ca7ef483f75432.exe
File created	C:\Windows\Desktop.ini	434281e89d42d43651ca7ef483f75432.exe
File created	C:\Windows\msvbvm60.dll	WlNLOGON.EXE
File created	C:\Windows\msvbvm60.dll	SERVICES.EXE
File opened for modification	C:\Windows\msvbvm60.dll	434281e89d42d43651ca7ef483f75432.exe
File opened for modification	C:\Windows\WlNLOGON.EXE	434281e89d42d43651ca7ef483f75432.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 42 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International	434281e89d42d43651ca7ef483f75432.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International	WlNLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International\s1159 = "Awan"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International\s2359 = "Bengi"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WlNLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International\s2359 = "Bengi"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International\s2359 = "Bengi"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\	434281e89d42d43651ca7ef483f75432.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\	WlNLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International\s1159 = "Awan"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International\s1159 = "Awan"	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International\s1159 = "Awan"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International\s2359 = "Bengi"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International\s2359 = "Bengi"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International\s1159 = "Awan"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International\s2359 = "Bengi"	434281e89d42d43651ca7ef483f75432.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International\s1159 = "Awan"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\Desktop\	SMSS.EXE

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	434281e89d42d43651ca7ef483f75432.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	WlNLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	Shell.exe

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	SMSS.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	434281e89d42d43651ca7ef483f75432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	434281e89d42d43651ca7ef483f75432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	434281e89d42d43651ca7ef483f75432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	434281e89d42d43651ca7ef483f75432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	434281e89d42d43651ca7ef483f75432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	434281e89d42d43651ca7ef483f75432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	434281e89d42d43651ca7ef483f75432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	434281e89d42d43651ca7ef483f75432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	434281e89d42d43651ca7ef483f75432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	434281e89d42d43651ca7ef483f75432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Shell.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
776	434281e89d42d43651ca7ef483f75432.exe
1996	SMSS.EXE
1996	SMSS.EXE
1996	SMSS.EXE
1996	SMSS.EXE
1996	SMSS.EXE
1996	SMSS.EXE
1996	SMSS.EXE
1996	SMSS.EXE
1996	SMSS.EXE
1996	SMSS.EXE
1996	SMSS.EXE
1996	SMSS.EXE
1996	SMSS.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
776	434281e89d42d43651ca7ef483f75432.exe
2472	WlNLOGON.EXE
2964	Shell.exe
2800	CSRSS.EXE
1916	SERVICES.EXE
1996	SMSS.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 2472	776	434281e89d42d43651ca7ef483f75432.exe	28
PID 776 wrote to memory of 2472	776	434281e89d42d43651ca7ef483f75432.exe	28
PID 776 wrote to memory of 2472	776	434281e89d42d43651ca7ef483f75432.exe	28
PID 776 wrote to memory of 2472	776	434281e89d42d43651ca7ef483f75432.exe	28
PID 776 wrote to memory of 2964	776	434281e89d42d43651ca7ef483f75432.exe	32
PID 776 wrote to memory of 2964	776	434281e89d42d43651ca7ef483f75432.exe	32
PID 776 wrote to memory of 2964	776	434281e89d42d43651ca7ef483f75432.exe	32
PID 776 wrote to memory of 2964	776	434281e89d42d43651ca7ef483f75432.exe	32
PID 776 wrote to memory of 2800	776	434281e89d42d43651ca7ef483f75432.exe	31
PID 776 wrote to memory of 2800	776	434281e89d42d43651ca7ef483f75432.exe	31
PID 776 wrote to memory of 2800	776	434281e89d42d43651ca7ef483f75432.exe	31
PID 776 wrote to memory of 2800	776	434281e89d42d43651ca7ef483f75432.exe	31
PID 776 wrote to memory of 1916	776	434281e89d42d43651ca7ef483f75432.exe	30
PID 776 wrote to memory of 1916	776	434281e89d42d43651ca7ef483f75432.exe	30
PID 776 wrote to memory of 1916	776	434281e89d42d43651ca7ef483f75432.exe	30
PID 776 wrote to memory of 1916	776	434281e89d42d43651ca7ef483f75432.exe	30
PID 776 wrote to memory of 1996	776	434281e89d42d43651ca7ef483f75432.exe	29
PID 776 wrote to memory of 1996	776	434281e89d42d43651ca7ef483f75432.exe	29
PID 776 wrote to memory of 1996	776	434281e89d42d43651ca7ef483f75432.exe	29
PID 776 wrote to memory of 1996	776	434281e89d42d43651ca7ef483f75432.exe	29

C:\Users\Admin\AppData\Local\Temp\434281e89d42d43651ca7ef483f75432.exe
"C:\Users\Admin\AppData\Local\Temp\434281e89d42d43651ca7ef483f75432.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops file in Drivers directory
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\WlNLOGON.EXE
  C:\Windows\WlNLOGON.EXE
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2472
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1996
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1916
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2800
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
176KB

MD5
15fb4a497f81a8b2732b0f4a6e24ccf6

SHA1
8bf9a034e5ccfa06b21250aecae400dd4b624698

SHA256
c70c9bf9ac65a7a42fb9782df0b7564dc751e3f2840a4c1e3079d61069f95ff3

SHA512
6168227f37e98716091107df17e3d44135a555dab4258a0c8e32c71ce71ab016f68519aa2da7cc09459366bdcf839b4513cd80fe1fa0d11630fc060ff0721075

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
147KB

MD5
4a2b92e3e6e47b1d1d3a38f22e374c8c

SHA1
a92cf85c7a2a5661338fe0d48253e633a1b97592

SHA256
5d4ac040a21d27c2c454d017f0febc1ec537e72587831ba6d1eea3b60fa315f1

SHA512
935eff8fc3d513c0012797849c962d40dd352813525001bd4047dfdb5fd3fed5c23dd36a22f1837b556bdb9a28de7a81b1cd8936add8074ecf13bda364c6b028

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
176KB

MD5
434281e89d42d43651ca7ef483f75432

SHA1
4c0dc22d0b52b1b71c76d519f1fcfb1abcdcf17e

SHA256
3cc1eddd0b66457667d1be49f2fd15be3030207cbef31c3f58a77e271b7f57fc

SHA512
90a0e0aa5216aaff28426f5dc664b399c5246f34faa9c01491fdf3b015bf649da443b2ba7b4b5a8caba7d1391d43c22546e8b6914d85bfa6a7a26708d2c9254d

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.exe

Filesize
176KB

MD5
31e9db15341feeffa054a9971452f7e3

SHA1
5d9916c72e78e149cc053df322080e48dc0077e9

SHA256
6e46a554837d0fcdf70d2165db3b2206b0291247956d3186b42fd0b342b9d8a5

SHA512
6a53cdbefa2f78ad765ed9fda047882d2c0cd2be0f91d5884ee98473ee57570d0d2d791de31dbddb77b17e4ee5c999133cb46de823f06b85e111bdbf1cb268c8

Download Submit
C:\Users\Admin\Local Settings\Application Data\services.exe

Filesize
131KB

MD5
727c2996710f75cb9a343e2e582277ac

SHA1
81f44e2d767e421f412e3cafd1a6e368c9a49495

SHA256
413b039b346b3e4c30a215807ede49948718095bcc8813027887bf7ce641711a

SHA512
258b884dedd25bf55af369140d320db89e269e8386c40c1fa7a65fe7456856b5d29a50e6f0570197e7e69cfacfb06b4b8150de989e7e88de6b59cf1873fb009e

Download Submit
C:\Windows\Desktop.ini

Filesize
65B

MD5
990a0bd866566534e37192439277e040

SHA1
90abfe04350a375df3beddd411256143e606461b

SHA256
ee3aaf1bcc2539bdddb6f25f4d0902cd023d83d902196d1bf2fcd37a73469038

SHA512
e598c68ae8f1a62cbc870fb7cf2c634ba24d1f1bfa62428a23aac7c914b3a775fa06564b6e084eaf9215086da433a80e49f2cbe81ca990414df3e57716dea4b7

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
450KB

MD5
24039a11df3ee7e7f697452c0dee20ee

SHA1
da4d2b57d2e0234a9f0b2b7d629662ffe8548fec

SHA256
8214f7e1343cd27862db99750f1a110d2195285c74231cf505ba6ad1714df66a

SHA512
49c33a0c853178b0ed77041c75e1b2f1120cf689cc5884d6efbd12ce0f2cb7a447f5f7c445f474093e824fe843698c7138204acf8249a6749166480801f1584e

Download Submit
C:\Windows\SysWOW64\OEMINFO.ini

Filesize
462B

MD5
45d327d7d806625d696945dea064d7a2

SHA1
81a36b2a66c8dcce870a82409c6f772cc06addf0

SHA256
e022ef7261dfe3e79b78e4bff605ae3f0480cd54d80b7c3358bd9091a0f0f04a

SHA512
8b78bb4fa2c05d509cf171525b0ba7bf735a8890854f0ef16b29c9456ff547ccd86423068f61c21b8f35a0797ee44f9a8697861c34f133c6c26dfcf99e8f849c

Download Submit
C:\Windows\SysWOW64\OEMLOGO.BMP

Filesize
40KB

MD5
4de286f5923036648db750d58ba496e8

SHA1
0252d5d6c7a3b7dfa71fca4b30a53522fd7c6f67

SHA256
eb79555170611879e79b4cdba59bdf679e63df9d7927d01354e5cf859274c58c

SHA512
069daaa01a04add11a9e5fc0988b5d42e6ad50011fa148df41ffb3a905ffc170ab65ba66f4ad921306503d8792dd192c173c532232fc7ef146c09aa76ddf548f

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
176KB

MD5
36ec50ed48efd4072a396eafea92b141

SHA1
7030433b551cc07114469c0946cfc64f5c67a3fc

SHA256
68f1410bc6820ebd64eb5788c9ce2b37cbac54e4390a2777e795195e3f8c5985

SHA512
d33a3d918e16835ea404204a2e9e70771cf650b42673701937b283ac288fb341709a4389b1da67211d90a34d0b0eacf5a4a7a2fa581c2511f9d2f6b5fc313e73

Download Submit
C:\Windows\WlNLOGON.EXE

Filesize
176KB

MD5
c0828aeb012c6c41448b65a74bc61b02

SHA1
919d383b1c7f7459bc6ef3a1198a09b6b06ddf26

SHA256
ef16ed6c7a6a9562f6a23baa8873d68136b7a1639de47e97a07b1225f8751823

SHA512
867b361b30a4e99ac75d43aa74d3a6e43d905b22501fcc8884f6da4e7a4a3971ba8687cffe79ae972b8df0c90115f1692e2577bb2c9798a8b8388e33e7bf543f

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
176KB

MD5
4ba6e0b4233935654df343b9bf5411e7

SHA1
63c47e763d35e2a557de1b4c00849d4de8713ab2

SHA256
f79ead5f16b857a365b6bf3c0f5c76c080e0547bcc1bc445ca68ec5789c6b741

SHA512
686c930423d8b4ea1ba8e548341f1ef9a82c6f9ea6ec98577665aa82311154f230afada53d455bd88f4baa879f055224c14bf4f4d43c4c236c273ed967202589

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
136KB

MD5
d586ec87d8b67078f4150b44e6bca9fe

SHA1
ac6d4235b589bb7fcea1f53f5cf1519dd795d127

SHA256
d8342c4e44a7921bcd413ec80cd62f5d66fd7ab72ca13bf080be9f0c7fb925cd

SHA512
03dfc74f5cd460f1bcb3c488fbcdcc9d6991d7fa3343a179ce18961488355383a5354316556f2dc31ba99a1d47370edc40b73d8fc7a68b3afcbb7f55299e4a2d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
141KB

MD5
5868f3970fc5b61834daa404cdc07dd6

SHA1
46b40872c787620f5c28638d7dbfab48c551f8ef

SHA256
44b31552c372b451163f56f1a2d5f5b070f0b2af9fb7e3fe5c36811c0f60b1a8

SHA512
afc7fd5ff235f70cd69599c746b44d4fd2405c5396ca69aedfc19d0d363db7bdc6431e2cea426228539f2db3c5f4b6088aefec08af21560423b903b1f4d4592d

Download Submit
memory/776-0-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/776-152-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/776-94-0x0000000003700000-0x00000000037AA000-memory.dmp

Filesize
680KB

Download
memory/776-96-0x0000000003700000-0x00000000037AA000-memory.dmp

Filesize
680KB

Download
memory/776-100-0x0000000003700000-0x00000000037AA000-memory.dmp

Filesize
680KB

Download
memory/1916-171-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1916-128-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1996-172-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2472-147-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2472-98-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2800-119-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2800-170-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2964-160-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2964-108-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download