928f05346650d5e3ac2da1998b382621148c2113faa5507ba70a0569a89c45cf

Analysis

max time kernel
235s
max time network
198s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1037c6fa49793bf01883643a1df5055c.exe
Size

133KB
MD5

1037c6fa49793bf01883643a1df5055c
SHA1

99532825f71b4fc24fedab8a690041c8872a8af7
SHA256

928f05346650d5e3ac2da1998b382621148c2113faa5507ba70a0569a89c45cf
SHA512

3cfda676f3da7fae76ae4f3a836e6a28837b6bbc79879026890fc8061d58fbc82e883cecd6fd3dc485bf5e67d22a35e9737768b561c48743dc9b789ad300f884
SSDEEP

3072:Md5X+hR3hUI/7ZSBYfkVoFdRrqo0aRaA/HF673+UWHIfrNRDz0:Mr6RRXNkVsuaRaU6mHGjD4

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\WINDOWS\\Cursors\\lsass.exe"	1037c6fa49793bf01883643a1df5055c.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2864	netsh.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2944	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
2928	lsass.exe

Loads dropped DLL 7 IoCs

pid	Process
3032	regsvr32.exe
3012	1037c6fa49793bf01883643a1df5055c.exe
3012	1037c6fa49793bf01883643a1df5055c.exe
2928	lsass.exe
2928	lsass.exe
2928	lsass.exe
2928	lsass.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3012-0-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/3012-7-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/3012-13-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/files/0x0038000000016262-14.dat	upx
behavioral1/memory/3012-16-0x00000000002A0000-0x00000000002F2000-memory.dmp	upx
behavioral1/memory/2928-22-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/3012-27-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2928-28-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2928-29-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2928-30-0x0000000000400000-0x0000000000452000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\ setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1037c6fa49793bf01883643a1df5055c.exe"	1037c6fa49793bf01883643a1df5055c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\ setup = "C:\\WINDOWS\\Cursors\\lsass.exe"	lsass.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	1037c6fa49793bf01883643a1df5055c.exe
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	attrib.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Cursors\lsass.exe	1037c6fa49793bf01883643a1df5055c.exe
File opened for modification	C:\WINDOWS\Cursors\lsass.exe	attrib.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX, 1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2928	lsass.exe
Token: SeBackupPrivilege	2928	lsass.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3012	1037c6fa49793bf01883643a1df5055c.exe
3012	1037c6fa49793bf01883643a1df5055c.exe
2928	lsass.exe
2928	lsass.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 3032	3012	1037c6fa49793bf01883643a1df5055c.exe	28
PID 3012 wrote to memory of 3032	3012	1037c6fa49793bf01883643a1df5055c.exe	28
PID 3012 wrote to memory of 3032	3012	1037c6fa49793bf01883643a1df5055c.exe	28
PID 3012 wrote to memory of 3032	3012	1037c6fa49793bf01883643a1df5055c.exe	28
PID 3012 wrote to memory of 3032	3012	1037c6fa49793bf01883643a1df5055c.exe	28
PID 3012 wrote to memory of 3032	3012	1037c6fa49793bf01883643a1df5055c.exe	28
PID 3012 wrote to memory of 3032	3012	1037c6fa49793bf01883643a1df5055c.exe	28
PID 3012 wrote to memory of 2944	3012	1037c6fa49793bf01883643a1df5055c.exe	29
PID 3012 wrote to memory of 2944	3012	1037c6fa49793bf01883643a1df5055c.exe	29
PID 3012 wrote to memory of 2944	3012	1037c6fa49793bf01883643a1df5055c.exe	29
PID 3012 wrote to memory of 2944	3012	1037c6fa49793bf01883643a1df5055c.exe	29
PID 3012 wrote to memory of 2944	3012	1037c6fa49793bf01883643a1df5055c.exe	29
PID 3012 wrote to memory of 2944	3012	1037c6fa49793bf01883643a1df5055c.exe	29
PID 3012 wrote to memory of 2944	3012	1037c6fa49793bf01883643a1df5055c.exe	29
PID 3012 wrote to memory of 2864	3012	1037c6fa49793bf01883643a1df5055c.exe	31
PID 3012 wrote to memory of 2864	3012	1037c6fa49793bf01883643a1df5055c.exe	31
PID 3012 wrote to memory of 2864	3012	1037c6fa49793bf01883643a1df5055c.exe	31
PID 3012 wrote to memory of 2864	3012	1037c6fa49793bf01883643a1df5055c.exe	31
PID 3012 wrote to memory of 2864	3012	1037c6fa49793bf01883643a1df5055c.exe	31
PID 3012 wrote to memory of 2864	3012	1037c6fa49793bf01883643a1df5055c.exe	31
PID 3012 wrote to memory of 2864	3012	1037c6fa49793bf01883643a1df5055c.exe	31
PID 3012 wrote to memory of 2880	3012	1037c6fa49793bf01883643a1df5055c.exe	32
PID 3012 wrote to memory of 2880	3012	1037c6fa49793bf01883643a1df5055c.exe	32
PID 3012 wrote to memory of 2880	3012	1037c6fa49793bf01883643a1df5055c.exe	32
PID 3012 wrote to memory of 2880	3012	1037c6fa49793bf01883643a1df5055c.exe	32
PID 3012 wrote to memory of 2880	3012	1037c6fa49793bf01883643a1df5055c.exe	32
PID 3012 wrote to memory of 2880	3012	1037c6fa49793bf01883643a1df5055c.exe	32
PID 3012 wrote to memory of 2880	3012	1037c6fa49793bf01883643a1df5055c.exe	32
PID 3012 wrote to memory of 2928	3012	1037c6fa49793bf01883643a1df5055c.exe	35
PID 3012 wrote to memory of 2928	3012	1037c6fa49793bf01883643a1df5055c.exe	35
PID 3012 wrote to memory of 2928	3012	1037c6fa49793bf01883643a1df5055c.exe	35
PID 3012 wrote to memory of 2928	3012	1037c6fa49793bf01883643a1df5055c.exe	35
PID 3012 wrote to memory of 2928	3012	1037c6fa49793bf01883643a1df5055c.exe	35
PID 3012 wrote to memory of 2928	3012	1037c6fa49793bf01883643a1df5055c.exe	35
PID 3012 wrote to memory of 2928	3012	1037c6fa49793bf01883643a1df5055c.exe	35

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2944	attrib.exe
2880	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1037c6fa49793bf01883643a1df5055c.exe
"C:\Users\Admin\AppData\Local\Temp\1037c6fa49793bf01883643a1df5055c.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Windows\system32\MSWINSCK.OCX
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:3032
- C:\Windows\SysWOW64\attrib.exe
  attrib +S +H C:\Windows\system32\MSWINSCK.OCX
  2⤵
  - Sets file to hidden
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:2944
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram program =C:\WINDOWS\Cursors\lsass.exename = WinUpdate = ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:2864
- C:\Windows\SysWOW64\attrib.exe
  attrib +h C:\WINDOWS\Cursors\lsass.exe
  2⤵
  - Drops file in Windows directory
  - Views/modifies file attributes
  PID:2880
- C:\WINDOWS\Cursors\lsass.exe
  C:\WINDOWS\Cursors\lsass.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\Cursors\lsass.exe

Filesize
133KB

MD5
b207ec06f0f704cc7a056531b22d1481

SHA1
72977d8fa33848aa01c7c72686e8a53b784902ba

SHA256
685ceec9119ae4d0d83121483835f4d9d391d319d01414518c47c02df3eb6650

SHA512
c2b4400c029974d05f9626282bb0f9a669b7cb649b47847106a4e0e85650387e1eaee17d540386383948af3a7ff251a941aedcf2e6fe603a9e4f4782cb13a133

Download Submit
C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
memory/2928-30-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2928-29-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2928-28-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2928-22-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3012-7-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3012-16-0x00000000002A0000-0x00000000002F2000-memory.dmp

Filesize
328KB

Download
memory/3012-13-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3012-27-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3012-9-0x0000000000230000-0x0000000000282000-memory.dmp

Filesize
328KB

Download
memory/3012-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3012-1-0x0000000000230000-0x0000000000282000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads