cff40a13d5f166ef5ffb35d7e245eb5817acc8fcbfc11caf0aac9806b1443a5f

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2022a4f1ab3229944bac054c1fd5dce0.exe
Size

322KB
MD5

2022a4f1ab3229944bac054c1fd5dce0
SHA1

02141861dcf9776b7be213bdb63fcf3c0bc30104
SHA256

cff40a13d5f166ef5ffb35d7e245eb5817acc8fcbfc11caf0aac9806b1443a5f
SHA512

febe8fb7f29a4ca7fbd868601453c111a1a7edb5a882afe1be86a3a2086d965bdb7bbbfcf93f363523f056fd207ba9e05d3e8502fb4db88a65f8d5a742d1f079
SSDEEP

6144:MQDqT0nxuh1zu1pXs+1GHNkVsuaRaU6mHGjDi:rDvwh1zu1pXs+1Gt0aRz6mHGjDi

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\WINDOWS\\Cursors\\lsass.exe"	2022a4f1ab3229944bac054c1fd5dce0.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2864	netsh.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
3024	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
2608	lsass.exe

Loads dropped DLL 7 IoCs

pid	Process
2924	regsvr32.exe
2040	2022a4f1ab3229944bac054c1fd5dce0.exe
2040	2022a4f1ab3229944bac054c1fd5dce0.exe
2608	lsass.exe
2608	lsass.exe
2608	lsass.exe
2608	lsass.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2040-0-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2040-24-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2608-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2608-25-0x0000000000400000-0x0000000000452000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2022a4f1ab3229944bac054c1fd5dce0.exe"	2022a4f1ab3229944bac054c1fd5dce0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ setup = "C:\\WINDOWS\\Cursors\\lsass.exe"	lsass.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	2022a4f1ab3229944bac054c1fd5dce0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Cursors\lsass.exe	2022a4f1ab3229944bac054c1fd5dce0.exe
File opened for modification	C:\WINDOWS\Cursors\lsass.exe	attrib.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	regsvr32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2040	2022a4f1ab3229944bac054c1fd5dce0.exe
2040	2022a4f1ab3229944bac054c1fd5dce0.exe
2608	lsass.exe
2608	lsass.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2924	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	17
PID 2040 wrote to memory of 2924	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	17
PID 2040 wrote to memory of 2924	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	17
PID 2040 wrote to memory of 2924	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	17
PID 2040 wrote to memory of 2924	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	17
PID 2040 wrote to memory of 2924	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	17
PID 2040 wrote to memory of 2924	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	17
PID 2040 wrote to memory of 3024	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	16
PID 2040 wrote to memory of 3024	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	16
PID 2040 wrote to memory of 3024	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	16
PID 2040 wrote to memory of 3024	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	16
PID 2040 wrote to memory of 3024	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	16
PID 2040 wrote to memory of 3024	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	16
PID 2040 wrote to memory of 3024	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	16
PID 2040 wrote to memory of 2864	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	35
PID 2040 wrote to memory of 2864	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	35
PID 2040 wrote to memory of 2864	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	35
PID 2040 wrote to memory of 2864	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	35
PID 2040 wrote to memory of 2864	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	35
PID 2040 wrote to memory of 2864	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	35
PID 2040 wrote to memory of 2864	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	35
PID 2040 wrote to memory of 2572	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	34
PID 2040 wrote to memory of 2572	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	34
PID 2040 wrote to memory of 2572	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	34
PID 2040 wrote to memory of 2572	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	34
PID 2040 wrote to memory of 2572	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	34
PID 2040 wrote to memory of 2572	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	34
PID 2040 wrote to memory of 2572	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	34
PID 2040 wrote to memory of 2608	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	32
PID 2040 wrote to memory of 2608	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	32
PID 2040 wrote to memory of 2608	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	32
PID 2040 wrote to memory of 2608	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	32
PID 2040 wrote to memory of 2608	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	32
PID 2040 wrote to memory of 2608	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	32
PID 2040 wrote to memory of 2608	2040	2022a4f1ab3229944bac054c1fd5dce0.exe	32

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3024	attrib.exe
2572	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2022a4f1ab3229944bac054c1fd5dce0.exe
"C:\Users\Admin\AppData\Local\Temp\2022a4f1ab3229944bac054c1fd5dce0.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\SysWOW64\attrib.exe
  attrib +S +H C:\Windows\system32\MSWINSCK.OCX
  2⤵
  - Sets file to hidden
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:3024
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Windows\system32\MSWINSCK.OCX
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2924
- C:\WINDOWS\Cursors\lsass.exe
  C:\WINDOWS\Cursors\lsass.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  PID:2608
- C:\Windows\SysWOW64\attrib.exe
  attrib +h C:\WINDOWS\Cursors\lsass.exe
  2⤵
  - Drops file in Windows directory
  - Views/modifies file attributes
  PID:2572
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram program =C:\WINDOWS\Cursors\lsass.exename = WinUpdate = ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2040-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2040-1-0x0000000000230000-0x0000000000282000-memory.dmp

Filesize
328KB

Download
memory/2040-24-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2040-14-0x0000000002FE0000-0x0000000003032000-memory.dmp

Filesize
328KB

Download
memory/2608-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2608-25-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads