Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28-12-2023 21:22
Static task
static1
Behavioral task
behavioral1
Sample
f8ff826c4f06a022d3c9803e5a8b30e8.exe
Resource
win7-20231129-en
General
-
Target
f8ff826c4f06a022d3c9803e5a8b30e8.exe
-
Size
1.9MB
-
MD5
f8ff826c4f06a022d3c9803e5a8b30e8
-
SHA1
e6f1927bce0e0fbb8c71e82b890e1b2ceec8e0fe
-
SHA256
65529283bf5e859816e81a8d68c9d3939f2e3e66daab5c033bf727efd4a29225
-
SHA512
536d4fb47b16e260bbbbdc2fd2a29aec871207a935cafe42dacbfea2dee598494b669704e472d1c7762c536a16163f6404bbdade44c3a47513d3a21c4fe1111a
-
SSDEEP
3072:tNnqrxIGX/9nDiG7t6yCAti1zxGJidD5iYAHg4Cs7lJ/hYZ4z1sxtbjIUWnoRzir:tNnNZ4zytbLGo
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-68147444" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-82538192" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-12970810" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-84530746" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" winlogon.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts winlogon.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winppr32.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf9x206.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfagent.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ndd32.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rshell.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\serv95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apvxdwin.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symproxysvc.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACCICONS.EXE winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\azonealarm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monsysnt.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscn95.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweep.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tca.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecmd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav95.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portmonitor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashWebSv.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hidec.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccpfw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srwatch.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\flowprotector.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot95.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icloadnt.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfmessenger.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webtrap.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootwarn.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luau.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\route.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanpm.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Safari.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpf.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\purge.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trojantrap3.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Opera_964_int_Setup.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exit.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpupd.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\connectionmonitor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpdclnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vccmserv.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iamstats.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navlu32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcfwallicon.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webtrap.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootwarn.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHttpSrv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nc2000.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pspf.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb32.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530stbyb.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwctl9.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe -
Executes dropped EXE 2 IoCs
pid Process 2976 winlogon.exe 1332 winlogon.exe -
Loads dropped DLL 2 IoCs
pid Process 2968 f8ff826c4f06a022d3c9803e5a8b30e8.exe 2968 f8ff826c4f06a022d3c9803e5a8b30e8.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1332-76-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1332-84-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1332-81-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1332-80-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1332-79-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1332-141-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1332-339-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1332-338-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1332-2207-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1332-2504-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1332-2664-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1332-2671-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1332-2678-0x0000000000400000-0x000000000043F000-memory.dmp upx behavioral1/memory/1332-2679-0x0000000000400000-0x000000000043F000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1" winlogon.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\4524252474643435 = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4524252474643435 = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2976 set thread context of 1332 2976 winlogon.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Sound winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Sound\Beep = "no" winlogon.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://k4dai97exe344w8.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://7xve1y052b9leih.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410994767" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{76CACCF1-AF2F-11EE-BF0E-72CCAFC2F3F6} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000033b2baa7c38bc34eb000abaaaac06d78000000000200000000001066000000010000200000006689519e016b00d279960b7f0cbe22cc270dc090c285578ee4aef20b6dd1bc88000000000e8000000002000020000000b5540ade5e5d0bd343f049ebc6c210425d0314f0952fd44e20923d9f1715e89e90000000b17bb5d0aa9decbcb24e4cb81c86fa272e23086927bbbee811334d3021368083ef2af48326f34dab22918527b8aca33838dc7f69012ce5d710e598824d1ade20fdf4efb1c8fd0f608aa4b4b31775c7246b2e249c1ce2b252b22bb3a2cfdc96b5c9a492cc295841358fbdaf4325f1cf74559cdc0c2c42406e7ce9c6d0a1f9119a6a98e546a7129c96071c5f14c66c67464000000040f98b968206c5c4d4b31d87f435b11e06f274b7d406865db9f822b19937e45e4ef9a1a0fe20188fcab1ee7603b74deaaeed8d2fa8b03309142ecb308f3c3ef3 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://63s12v78v2db4y3.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://n9u4ylm8n12q3ow.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com IEXPLORE.EXE Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://y2az2s49utzs335.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Download winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://9s74z3u4vt390w3.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000033b2baa7c38bc34eb000abaaaac06d780000000002000000000010660000000100002000000045c1a425d4ff1bcefce2fcda756b715c1e2a026dce8edb1939add0a8e9328e1d000000000e8000000002000020000000ed6afce31af451d9fca523b71585f2370d88bcf84d0ab6040a6dc55887409f0020000000da203e9f3d492df6401ecf0b46ceae425a37c1f9e9309f42b2a57a6779c5483f40000000c6640654a5e19fbe2a6ed1fc85930a91a1c7a8178db66e1a2c251b0bb2e47677501444afc77c382363bbd33768ad6d81072cbf18a1f4861ba8c5a37e17498794 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e07d4a4c3c43da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://fh0g6g26hw584mn.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://48foa08957349wi.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://51fn4bf81c0elq4.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://dee5w09490v157z.directorio-w.com" winlogon.exe -
Modifies registry class 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application winlogon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe 1332 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeBackupPrivilege 1332 winlogon.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2204 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2968 f8ff826c4f06a022d3c9803e5a8b30e8.exe 2976 winlogon.exe 1332 winlogon.exe 2204 iexplore.exe 2204 iexplore.exe 1204 IEXPLORE.EXE 1204 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2968 wrote to memory of 2976 2968 f8ff826c4f06a022d3c9803e5a8b30e8.exe 20 PID 2968 wrote to memory of 2976 2968 f8ff826c4f06a022d3c9803e5a8b30e8.exe 20 PID 2968 wrote to memory of 2976 2968 f8ff826c4f06a022d3c9803e5a8b30e8.exe 20 PID 2968 wrote to memory of 2976 2968 f8ff826c4f06a022d3c9803e5a8b30e8.exe 20 PID 2976 wrote to memory of 1332 2976 winlogon.exe 30 PID 2976 wrote to memory of 1332 2976 winlogon.exe 30 PID 2976 wrote to memory of 1332 2976 winlogon.exe 30 PID 2976 wrote to memory of 1332 2976 winlogon.exe 30 PID 2976 wrote to memory of 1332 2976 winlogon.exe 30 PID 2976 wrote to memory of 1332 2976 winlogon.exe 30 PID 2976 wrote to memory of 1332 2976 winlogon.exe 30 PID 2976 wrote to memory of 1332 2976 winlogon.exe 30 PID 2976 wrote to memory of 1332 2976 winlogon.exe 30 PID 2204 wrote to memory of 1204 2204 iexplore.exe 33 PID 2204 wrote to memory of 1204 2204 iexplore.exe 33 PID 2204 wrote to memory of 1204 2204 iexplore.exe 33 PID 2204 wrote to memory of 1204 2204 iexplore.exe 33 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8ff826c4f06a022d3c9803e5a8b30e8.exe"C:\Users\Admin\AppData\Local\Temp\f8ff826c4f06a022d3c9803e5a8b30e8.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\E696D64614\winlogon.exeError 4483⤵
- Modifies firewall policy service
- Modifies security service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1332
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2204 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1204
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD5aa787b0e13745409a26bb1a87e94eeee
SHA15daa76023c2c6b929bc3fe4c5b6720c04e95e4af
SHA25610e97d3a0f3688a6873f57af07a36754db2941813473d392e1a8d82be03a0f5a
SHA5125537018dad7725fbde593ccaffbb3d6f1274ec48cc1fdd7241924462201e518f328f44728759e03d98a0412da645b382e202ae10ae610706ade9c52da1dc3a51
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cc186e6b8931c4ba2a7385eb47faf126
SHA178079450315f1f685df23e07b40bc2ef59dc6050
SHA256bf0073074be2c91ed5eaa63d3b336a89c7e2192ddb500a7f4808e82be972e4c2
SHA512add507c978f05b6eaf1ee6a83b3ce49216160200a911ce69516bcf2def4fe6e45e82824324b2a0d93447d30387a9f9dcffa3b4433213dd5ed49dda99b93d01e4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD57ba2c5fe51fb280d45b1f1fb797b17bb
SHA1e1f175b44a39b86673fbda3db15cee378534bc72
SHA256a04c8ecd96e084c9493692dea492e97670e00f1fab6531b7cfa2eaa8a95b7a69
SHA51251c75364467657f64fcafa823656c0a806c5cc7b75cdc9e19f0bffa00f0ebebe938088ca2944d84da8aa6728cf675f30dbc99e9a57a7139e1c42da96b10cf51e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52282a58b38709db0b818db06024f956e
SHA15833dd3ce9a21de7724542ae99eb40b3c0fcf8f5
SHA25684908a1f5a5168b452420a58efe02a0d9b2e91a3056558ffe4c4627c9ee44a30
SHA5121f5a65f54493d42ce3ee24394ac108518c4d860ff7ce07e9f24de7a38ba65dc81a7388671112c5d7445cfdb37f570285616ce15f7db269ce149632d3011bfc71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cbfae6bf5572272b44d425952aa10426
SHA11eee9c04aa42d7e37ef1320a819d8202e78e43d4
SHA2564720968bf8579410a91bb71dde069513ed5841149cfcb1ad81050b2348402a53
SHA512a7e61e52925f86f4298a8306da183fa77023e111acb99200e2209108a9c4b914621396bd5b9bc104c05826d1b9f36e650146f9098d9b2d05c49f70612f314650
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD530796df967fa7983891eb2b810b37448
SHA106127156bd3f0c1d329e5766279eeec72c6bba49
SHA2568f29a95e010cb679a1885e6a4dcb0771336bb396b28efe729e93bbd11427e41a
SHA5125ed4743dfd0ea77bd5359459492e7b7d9a594c5570e1041548843c35c55470405c2f2d3b2fcf0db228c517673f8e3669933863b9236c6196ec7130bae2017e3e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ed579fcc2db56d58c49de1b11c083af8
SHA19bd9505a30080c9468c8fba4501a80791b9aafeb
SHA2566a90e9db696b53200d48f650b8e1a595a2a80c6a38c2f99920e23527fde440d5
SHA5125a265399629755b5680811deaf33ff86ee5bc480be9998210b75dde566431e81e965e1695b8ce86ef34f0278a636ff9aa7d7df49f96176dd2391776c2a0c46da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5168a6b7c78f581c38a2f1617ca7ce209
SHA122b139d0912b2f9ec1792985bffe0e2f1bad3f9c
SHA25622107a7ddabfcc61b36b0d5118f3fe59e847cef279cf353e1ac263ee5dfc894e
SHA512a1675b0430666e3322f208c35fc84ef9a80ba1d00792c84e76e93035f02568dc7090c6a1d15d6fbdb616248ec2cfd44f2a8d924a4670d7b50dc2945fac3c760b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD521b5e49ad4d8fbad3cffc45c965425df
SHA162717ad5f5121f83753135a5e92ec6dc75ada29a
SHA25692386985709585f42a32f9f471e5e1a7462414a486eb80059300912d839b204c
SHA512f984066cd11f897d873d44ff5c206769d45b9476b254fb3341fcf3d9d35ee22c7b914f48e534037f7f97ff4c91a65cb2d9ff20c735132af118b8d693d6c4ead3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e3e4b9b73b87d1acca084f333bb6fc4c
SHA14d1e929e708aef04ab38fceb5b99982cc8f95140
SHA2565a47aa809e9ea902a9c9c1a77e1af2f340c10927c98eb324c029938d5cb61db5
SHA5120bbc103641780f4ad4bd267af017bf3cf843689ae5ea0480b6c6f763ef259c6518ee373ed1473b77caec26494d3e3b7196b7a38011358f2912bd655fd5b75199
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5bdb335ed51763ae0ab64255e12d54641
SHA1abef602de29c6c6a6b8d54abca0c0d81f0158132
SHA2561265b5135f57777061592727d295731e4d0135305cedbfdcdcdde788a9fb4269
SHA512d4a555fccec41f097cb0f6221a6cb5c45b8c4504eb5141b34101680cbfd6a1c5477c610aaee466e3dbc4ec7e99562e85671370c5cc6fa6a9a30d0cb3520ce419
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ec6fdf299ba06a10196b6c6ec3325824
SHA13f07e4c4147719735046925a1af671e1362a7e98
SHA256276c57fb6a9b745ee0688c0fee448ada9e302e2f24433b8ddeafa9af6ee3565d
SHA5128a1fb18e91ef2000c063278779d7173e8b5660d2934e174648e98224c26682ca42e3afe3ceec5d0dc767c3dd60e032f9de034fdad33592c7ed01633452c63f2a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD558e11f9bd22fd32f942d546057ec26f0
SHA1c3e65726abbc086578dfd3e8abb26a8b7c978584
SHA25669c6da874a534228171bbac1741bf2ba61ce091bed951f302e24d7b8be1e963e
SHA512de41caa1509a1385f7566e7a63553cb79d04482a3c25a5a2a71d30d1f2eec273d9360b6103e727c265224908aef2fc1dfdb56e2d2bd400a7a67ac6d578240222
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52cc267e7c380004fa445b21693d00a46
SHA14e539f4c6cb6e29f85e5d9b6fdb6c5b9504e2934
SHA2564fb2b31d4423f6bc4ffd05e36b8cfad312c160654e0830d9c9066d9859e2303d
SHA512cd3c3c7c5c037f4f36e08d7aaf52f314082bfd2c166173eb9da91ffaad2cf387e3335a5dc02a6243710382e8b54fb8d6c563bc1e7f662fc1203ef921f1d28e05
-
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize4KB
MD5da597791be3b6e732f0bc8b20e38ee62
SHA11125c45d285c360542027d7554a5c442288974de
SHA2565b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6CM5696F\cf.errors[1].css
Filesize23KB
MD5a1cedc21f16b5a97114857154fab35e9
SHA195e9890a15a4f7f94f7f19d2c297e4b07503c526
SHA2561103290e25ebda2712abe344a87facbac00ddaba712729be9fe5feef807bf91b
SHA51200e857331dce66901120b042a254e5af5135364f718da56110a4744f3e64f9b61ba0b877013af8398a0f865c7bde6ad2f87b3c9d2d828651806409cba57aa34e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6CM5696F\styles__ltr[1].css
Filesize55KB
MD5eb4bc511f79f7a1573b45f5775b3a99b
SHA1d910fb51ad7316aa54f055079374574698e74b35
SHA2567859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050
SHA512ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ESDZY7ML\browser-bar[1].png
Filesize715B
MD5226dcb8f6144bdaafdfbd8f2f354be64
SHA13785cc5b3bf52f8e398177b0ff1020b24aa86b8c
SHA2568c873472f4925d5d47521db4d52532d2983e9cb1bde8b43143a6cc6db56c35db
SHA512ed898b12c4895f7aceaab443c1071e6376db71b4dfdbd769f5f3be71d562438a18b5e5dc36dd7cc610926e380603a894b2e81df4302680c736a412bfd3360d3a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ESDZY7ML\domain_profile[1].htm
Filesize6KB
MD58cbbb29310ad57fac141836ce71715e8
SHA188d6be2a827beb40c25cf49f28683d920f36f99a
SHA25624ff3f0692c9e177e2e8b8c2e06a2c6f11b09dde06006f1e030f8838f27eb12e
SHA51223694f08aa791d26e4f4105b039599c1d6ac9773e4940598dae34d4608bd28fcec19dd1879bee78e023dc47ea2f44689beea0d79c192bae3bd8af77eacced55d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ESDZY7ML\recaptcha__en[1].js
Filesize502KB
MD537c6af40dd48a63fcc1be84eaaf44f05
SHA11d708ace806d9e78a21f2a5f89424372e249f718
SHA256daf20b4dbc2ee9cc700e99c7be570105ecaf649d9c044adb62a2098cf4662d24
SHA512a159bf35fc7f6efdbe911b2f24019dca5907db8cf9ba516bf18e3a228009055bcd9b26a3486823d56eacc391a3e0cc4ae917607bd95a3ad2f02676430de03e07
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HO5ISX78\cf-no-screenshot-error[1].png
Filesize3KB
MD50d768cbc261841d3affc933b9ac3130e
SHA1aff136a4c761e1df1ada7e5d9a6ed0ebea74a4b7
SHA2561c53772285052e52bb7c12ad46a85a55747ed7bf66963fe1993fcef91ff5b0d0
SHA512ce5b1bbb8cf6b0c3d1fa146d1700db2300abd6f2bdbe43ecaac6aebc911be6e1bcd2f8c6704a2cfa67bbb45598793ddec017e05c2c37ce387293aae08e7c342f
-
Filesize
557KB
MD5a88366d1f277741e4ab04fc5818db09c
SHA1bd515ee10f2fc4c4b5d3f27f8a07ea518929e31f
SHA2569177ce6cac767b37934db030fdc1ab9561dca4d7fafd957a82b5ef5f44e2911e
SHA5121f52800a982f9bc70811d86bbcf10a754343e979870f6c46b8b24a92d42c298e59cd5a0d3378ce87163d4100861babdd1e841d66f58f56c5fe7db51460fba636
-
Filesize
393KB
MD575776a73ecb1938018a7841b19c1476b
SHA1f465df3b6837937252f94b16ff3ab8b5bf72cb7b
SHA256f4dc99a0c9f2fbd51d4ece49a6dea15c45f7e1de5747d88086cb30908423102f
SHA512516f43d14392cecc0707f5ed3e3f4918731af59ea6eb248b780dac35a3ceb80bc22de5f77d0454450583913166a93f70723b7bca35322f9acd91c40914b1b192
-
Filesize
1.4MB
MD5e004b7dec2e80e68fc1ceb48e9bd1297
SHA17f1af113fb5e30feec35d3833ce5784b420b4622
SHA256615be588f1fa16f8ce1e3637c3445e30eb48ae1d75a1c5d6f150117bc6d0ca11
SHA51260983686d207b5b1768b3c50f46f823f703e0688bd9b8e5ac41a3aa3d5db414209164487dca582dc1994421367bcd272ab134bc2568b86e792f9b7fd84cb5c76
-
Filesize
1.4MB
MD5f14ae9b23204bdd247a56f05a14432fe
SHA1aec9f2a1f34f909332497f9b84cc89d0f95a9eb9
SHA2561d972bf46c05494532b2eca29f884d808fc49eef6d8616871ea44659a93adcae
SHA512f33eff8103298d42bd2a6ce709f5a65f4f53488afb65d8880d45367320e48c2f73a26815c05d547bd5b1f9a88ad357e055f046b5e682a28f0cbd8d58c8725e90