c61638e8ac4047c9a6150cd63fb2a2385fab4ce31eb57fa1a29e557053c52bca

Analysis

max time kernel
45s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4b0badfb71b9b4353c864604b8b4dd8.exe
Size

425KB
MD5

b4b0badfb71b9b4353c864604b8b4dd8
SHA1

d2de77da6cf53a1b0e030df44c928beb3f1ff8e2
SHA256

c61638e8ac4047c9a6150cd63fb2a2385fab4ce31eb57fa1a29e557053c52bca
SHA512

b8891a159f41553956c1f9759e6f3d35eb968edcdc5ac94d08a3b7629adb19278d6ce6ad37c4bc2a8ed91e68b00a2467eaee651a38e79313752c2680c11abcb0
SSDEEP

12288:w82tz1DBz5gga7egJlrtyp/0bJoNsOZ930DskP/vl4/mTCEWCEfrjRLmsBfZqFlR:w82tz1DBz5gh6gJVtE/0bJoCeAP/vl40

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\userinit.exe"	pikachu.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\userinit.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\WINDOWS\\userinit.exe"	scout.exe

Disables RegEdit via registry modification 3 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	scout.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	pikachu.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 6 IoCs

pid	Process
4980	scout.exe
2520	lsass.exe
2792	scout.exe
1864	lsass.exe
4244	pikachu.exe
1212	lsass.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1716-0-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/files/0x0008000000023322-8.dat	upx
behavioral2/memory/4980-83-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/2792-93-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/1864-101-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/1716-102-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/1212-116-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/2520-117-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/2792-118-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/4244-119-0x0000000000400000-0x0000000000470000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pikachu = "C:\\WINDOWS\\pikachu.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pikachu = "C:\\WINDOWS\\pikachu.exe"	scout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pikachu = "C:\\WINDOWS\\pikachu.exe"	pikachu.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\link.sys	scout.exe
File opened for modification	C:\WINDOWS\SysWOW64\link.sys	scout.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\WINDOWS\scout.exe	b4b0badfb71b9b4353c864604b8b4dd8.exe
File opened for modification	C:\WINDOWS\scout.exe	b4b0badfb71b9b4353c864604b8b4dd8.exe
File created	C:\WINDOWS\system\lsass.exe	b4b0badfb71b9b4353c864604b8b4dd8.exe
File opened for modification	C:\WINDOWS\system\lsass.exe	b4b0badfb71b9b4353c864604b8b4dd8.exe
File created	C:\WINDOWS\pikachu.exe	b4b0badfb71b9b4353c864604b8b4dd8.exe
File created	C:\WINDOWS\system\lsass.exe	scout.exe
File created	C:\WINDOWS\userinit.exe	b4b0badfb71b9b4353c864604b8b4dd8.exe
File opened for modification	C:\WINDOWS\userinit.exe	b4b0badfb71b9b4353c864604b8b4dd8.exe
File opened for modification	C:\WINDOWS\pikachu.exe	b4b0badfb71b9b4353c864604b8b4dd8.exe
File created	C:\WINDOWS\pikachu.exe	scout.exe
File opened for modification	C:\WINDOWS\pikachu.exe	scout.exe
File opened for modification	C:\WINDOWS\system\lsass.exe	scout.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1808	4980	WerFault.exe	98

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000005a58da88100041646d696e003c0009000400efbe5a58ef7b655851632e0000008de10100000001000000000000000000000000000000f000e200410064006d0069006e00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e0031000000000065585463100054656d7000003a0009000400efbe5a58ef7b655855632e000000ace1010000000100000000000000000000000000000001543700540065006d007000000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000005a58ef7b1100557365727300640009000400efbe874f7748655851632e000000c70500000000010000000000000000003a000000000070b4280055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000005a581a8910004c6f63616c003c0009000400efbe5a58ef7b655854632e000000abe1010000000100000000000000000000000000000031586a004c006f00630061006c00000014000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 8a003100000000006558526310004234423042417e310000720009000400efbe65585263655852632e000000d032020000000b000000000000000000000000000000aa99ff0062003400620030006200610064006600620037003100620039006200340033003500330063003800360034003600300034006200380062003400640064003800000018000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000005a58ef7b12004170704461746100400009000400efbe5a58ef7b655851632e00000098e1010000000100000000000000000000000000000053df10004100700070004400610074006100000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2844	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4980	scout.exe
4980	scout.exe
2520	lsass.exe
2520	lsass.exe
2792	scout.exe
2792	scout.exe
2520	lsass.exe
2520	lsass.exe
1864	lsass.exe
1864	lsass.exe
2792	scout.exe
2792	scout.exe
2520	lsass.exe
2520	lsass.exe
4244	pikachu.exe
4244	pikachu.exe
1212	lsass.exe
1212	lsass.exe
2520	lsass.exe
2520	lsass.exe
4244	pikachu.exe
4244	pikachu.exe
2792	scout.exe
2792	scout.exe
2520	lsass.exe
2520	lsass.exe
4244	pikachu.exe
4244	pikachu.exe
2792	scout.exe
2792	scout.exe
2520	lsass.exe
2520	lsass.exe
4244	pikachu.exe
4244	pikachu.exe
2792	scout.exe
2792	scout.exe
2520	lsass.exe
4244	pikachu.exe
4244	pikachu.exe
2520	lsass.exe
2792	scout.exe
2792	scout.exe
2520	lsass.exe
2520	lsass.exe
4244	pikachu.exe
4244	pikachu.exe
2792	scout.exe
2792	scout.exe
2792	scout.exe
2792	scout.exe
4244	pikachu.exe
4244	pikachu.exe
2520	lsass.exe
2520	lsass.exe
4244	pikachu.exe
4244	pikachu.exe
2792	scout.exe
2792	scout.exe
2520	lsass.exe
2520	lsass.exe
4244	pikachu.exe
4244	pikachu.exe
2520	lsass.exe
2520	lsass.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1716	b4b0badfb71b9b4353c864604b8b4dd8.exe
1716	b4b0badfb71b9b4353c864604b8b4dd8.exe
4980	scout.exe
4980	scout.exe
2520	lsass.exe
2520	lsass.exe
2792	scout.exe
2792	scout.exe
1864	lsass.exe
1864	lsass.exe
2844	explorer.exe
2844	explorer.exe
4244	pikachu.exe
4244	pikachu.exe
1212	lsass.exe
1212	lsass.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 4980	1716	b4b0badfb71b9b4353c864604b8b4dd8.exe	98
PID 1716 wrote to memory of 4980	1716	b4b0badfb71b9b4353c864604b8b4dd8.exe	98
PID 1716 wrote to memory of 4980	1716	b4b0badfb71b9b4353c864604b8b4dd8.exe	98
PID 1716 wrote to memory of 2520	1716	b4b0badfb71b9b4353c864604b8b4dd8.exe	103
PID 1716 wrote to memory of 2520	1716	b4b0badfb71b9b4353c864604b8b4dd8.exe	103
PID 1716 wrote to memory of 2520	1716	b4b0badfb71b9b4353c864604b8b4dd8.exe	103
PID 1716 wrote to memory of 2176	1716	b4b0badfb71b9b4353c864604b8b4dd8.exe	105
PID 1716 wrote to memory of 2176	1716	b4b0badfb71b9b4353c864604b8b4dd8.exe	105
PID 1716 wrote to memory of 2176	1716	b4b0badfb71b9b4353c864604b8b4dd8.exe	105
PID 1716 wrote to memory of 2792	1716	b4b0badfb71b9b4353c864604b8b4dd8.exe	107
PID 1716 wrote to memory of 2792	1716	b4b0badfb71b9b4353c864604b8b4dd8.exe	107
PID 1716 wrote to memory of 2792	1716	b4b0badfb71b9b4353c864604b8b4dd8.exe	107
PID 1716 wrote to memory of 1864	1716	b4b0badfb71b9b4353c864604b8b4dd8.exe	108
PID 1716 wrote to memory of 1864	1716	b4b0badfb71b9b4353c864604b8b4dd8.exe	108
PID 1716 wrote to memory of 1864	1716	b4b0badfb71b9b4353c864604b8b4dd8.exe	108
PID 2792 wrote to memory of 4244	2792	scout.exe	109
PID 2792 wrote to memory of 4244	2792	scout.exe	109
PID 2792 wrote to memory of 4244	2792	scout.exe	109
PID 2792 wrote to memory of 1212	2792	scout.exe	111
PID 2792 wrote to memory of 1212	2792	scout.exe	111
PID 2792 wrote to memory of 1212	2792	scout.exe	111

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	scout.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "0"	scout.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	pikachu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	scout.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	pikachu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "0"	pikachu.exe

C:\Users\Admin\AppData\Local\Temp\b4b0badfb71b9b4353c864604b8b4dd8.exe
"C:\Users\Admin\AppData\Local\Temp\b4b0badfb71b9b4353c864604b8b4dd8.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716
- C:\WINDOWS\scout.exe
  C:\WINDOWS\scout.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 628
    3⤵
    - Program crash
    PID:1808
- C:\WINDOWS\system\lsass.exe
  C:\WINDOWS\system\lsass.exe
  2⤵
  - Modifies WinLogon for persistence
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2520
- C:\Windows\SysWOW64\explorer.exe
  explorer b4b0badfb71b9b4353c864604b8b4dd8
  2⤵
  PID:2176
- C:\WINDOWS\scout.exe
  C:\WINDOWS\scout.exe
  2⤵
  - Modifies WinLogon for persistence
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2792
- - C:\WINDOWS\pikachu.exe
    C:\WINDOWS\pikachu.exe
    3⤵
    - Modifies WinLogon for persistence
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:4244
- - C:\WINDOWS\system\lsass.exe
    C:\WINDOWS\system\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1212
- C:\WINDOWS\system\lsass.exe
  C:\WINDOWS\system\lsass.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4980 -ip 4980
1⤵
PID:4020

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2844

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=3044,i,17059189006398306756,4247826696353232857,262144 --variations-seed-version /prefetch:8
1⤵
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\system32\drivers\etc\hosts

Filesize
578B

MD5
4cedd41692993cf5a0a40baeb724b871

SHA1
fc1eeb1d88966ea4a816bcbdab320830b6f70261

SHA256
fc50ea976a803f4b75f0754c470753049cb6ad93466ec9a55f0b922e112a7695

SHA512
e7124fdba0a6580da6c48cd77777c6aa1aa23f304db8383551931db1e5e814d2d03de92eeaeeb64f4a0654ee7de640956abeffdd94bcd23c08a875cdc6907862

Download Submit
C:\Windows\System\lsass.exe

Filesize
425KB

MD5
b4b0badfb71b9b4353c864604b8b4dd8

SHA1
d2de77da6cf53a1b0e030df44c928beb3f1ff8e2

SHA256
c61638e8ac4047c9a6150cd63fb2a2385fab4ce31eb57fa1a29e557053c52bca

SHA512
b8891a159f41553956c1f9759e6f3d35eb968edcdc5ac94d08a3b7629adb19278d6ce6ad37c4bc2a8ed91e68b00a2467eaee651a38e79313752c2680c11abcb0

Download Submit
memory/1212-116-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1716-0-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1716-102-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1864-101-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2520-117-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2792-93-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2792-118-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4244-119-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4980-83-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download