Analysis
-
max time kernel
82s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-03-2024 01:12
Behavioral task
behavioral1
Sample
d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe
Resource
win10v2004-20240226-en
General
-
Target
d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe
-
Size
196KB
-
MD5
80d765bf7ac04c4607cacf0754b73178
-
SHA1
a2a91440be0fd6d4f316553926bcda919032b776
-
SHA256
d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea
-
SHA512
e0a09385f64e0ac27c3d894f7bf4d3ed5f115265c1b23fd7ac2166ec4023402abcca1b3dd499a68ee59b31331ede66fec50331eb88ac7427a820bd0bb7b297b9
-
SSDEEP
3072:ZOgUXoutNzxZVX4/awxfodLJUBv9Bsor1rHjhMU9npQQpmuG:ZFYoSJRARoYlld9n2Qpmx
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe -
UPX dump on OEP (original entry point) 31 IoCs
resource yara_rule behavioral2/memory/3392-0-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/files/0x0007000000023203-8.dat UPX behavioral2/files/0x0007000000023207-106.dat UPX behavioral2/memory/3416-108-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/memory/3416-111-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/files/0x000700000002320b-114.dat UPX behavioral2/memory/4848-115-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/memory/4848-118-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/files/0x000700000002320d-120.dat UPX behavioral2/memory/1652-135-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/files/0x0007000000023207-175.dat UPX behavioral2/memory/1472-180-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/files/0x000700000002320b-179.dat UPX behavioral2/memory/4752-183-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/files/0x000700000002320d-185.dat UPX behavioral2/memory/688-188-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/files/0x000700000002320e-191.dat UPX behavioral2/memory/2484-194-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/files/0x000700000002320f-196.dat UPX behavioral2/memory/3688-200-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/files/0x0007000000023210-203.dat UPX behavioral2/memory/2948-206-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/files/0x0007000000023211-208.dat UPX behavioral2/memory/3392-210-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/memory/3856-213-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/memory/3392-239-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/memory/4704-244-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/memory/220-248-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/memory/4288-253-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/memory/1672-256-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/memory/3392-257-0x0000000000400000-0x000000000042F000-memory.dmp UPX -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 14 IoCs
pid Process 3416 xk.exe 4848 IExplorer.exe 1652 WINLOGON.EXE 1472 xk.exe 4752 IExplorer.exe 688 WINLOGON.EXE 2484 CSRSS.EXE 3688 SERVICES.EXE 2948 LSASS.EXE 3856 SMSS.EXE 4704 CSRSS.EXE 220 SERVICES.EXE 4288 LSASS.EXE 1672 SMSS.EXE -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe -
resource yara_rule behavioral2/memory/3392-0-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x0007000000023203-8.dat upx behavioral2/files/0x0007000000023207-106.dat upx behavioral2/memory/3416-108-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/3416-111-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x000700000002320b-114.dat upx behavioral2/memory/4848-115-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/4848-118-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x000700000002320d-120.dat upx behavioral2/memory/1652-135-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x0007000000023207-175.dat upx behavioral2/memory/1472-180-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x000700000002320b-179.dat upx behavioral2/memory/4752-183-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x000700000002320d-185.dat upx behavioral2/memory/688-188-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x000700000002320e-191.dat upx behavioral2/memory/2484-194-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x000700000002320f-196.dat upx behavioral2/memory/3688-200-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x0007000000023210-203.dat upx behavioral2/memory/2948-206-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x0007000000023211-208.dat upx behavioral2/memory/3392-210-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/3856-213-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/3392-239-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/4704-244-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/220-248-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/4288-253-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/1672-256-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/3392-257-0x0000000000400000-0x000000000042F000-memory.dmp upx -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File created C:\desktop.ini d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened for modification F:\desktop.ini d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File created F:\desktop.ini d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened for modification C:\desktop.ini d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\G: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\L: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\U: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\Z: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\I: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\O: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\T: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\W: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\Y: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\H: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\M: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\N: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\P: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\S: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\V: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\X: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\E: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\J: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\K: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\Q: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened (read-only) \??\R: d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell.exe d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File created C:\Windows\SysWOW64\shell.exe d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File created C:\Windows\SysWOW64\Mig2.scr d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File created C:\Windows\SysWOW64\IExplorer.exe d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File opened for modification C:\Windows\SysWOW64\Mig2.scr d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\xk.exe d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe File created C:\Windows\xk.exe d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe -
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\Desktop\ d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe -
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 3416 xk.exe 4848 IExplorer.exe 1652 WINLOGON.EXE 1472 xk.exe 4752 IExplorer.exe 688 WINLOGON.EXE 2484 CSRSS.EXE 3688 SERVICES.EXE 2948 LSASS.EXE 3856 SMSS.EXE 4704 CSRSS.EXE 220 SERVICES.EXE 4288 LSASS.EXE 1672 SMSS.EXE -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3392 wrote to memory of 3416 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 90 PID 3392 wrote to memory of 3416 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 90 PID 3392 wrote to memory of 3416 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 90 PID 3392 wrote to memory of 4848 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 91 PID 3392 wrote to memory of 4848 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 91 PID 3392 wrote to memory of 4848 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 91 PID 3392 wrote to memory of 1652 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 92 PID 3392 wrote to memory of 1652 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 92 PID 3392 wrote to memory of 1652 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 92 PID 3392 wrote to memory of 1472 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 93 PID 3392 wrote to memory of 1472 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 93 PID 3392 wrote to memory of 1472 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 93 PID 3392 wrote to memory of 4752 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 94 PID 3392 wrote to memory of 4752 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 94 PID 3392 wrote to memory of 4752 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 94 PID 3392 wrote to memory of 688 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 95 PID 3392 wrote to memory of 688 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 95 PID 3392 wrote to memory of 688 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 95 PID 3392 wrote to memory of 2484 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 96 PID 3392 wrote to memory of 2484 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 96 PID 3392 wrote to memory of 2484 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 96 PID 3392 wrote to memory of 3688 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 97 PID 3392 wrote to memory of 3688 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 97 PID 3392 wrote to memory of 3688 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 97 PID 3392 wrote to memory of 2948 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 98 PID 3392 wrote to memory of 2948 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 98 PID 3392 wrote to memory of 2948 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 98 PID 3392 wrote to memory of 3856 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 99 PID 3392 wrote to memory of 3856 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 99 PID 3392 wrote to memory of 3856 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 99 PID 3392 wrote to memory of 4704 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 106 PID 3392 wrote to memory of 4704 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 106 PID 3392 wrote to memory of 4704 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 106 PID 3392 wrote to memory of 220 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 107 PID 3392 wrote to memory of 220 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 107 PID 3392 wrote to memory of 220 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 107 PID 3392 wrote to memory of 4288 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 108 PID 3392 wrote to memory of 4288 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 108 PID 3392 wrote to memory of 4288 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 108 PID 3392 wrote to memory of 1672 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 109 PID 3392 wrote to memory of 1672 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 109 PID 3392 wrote to memory of 1672 3392 d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe 109 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe"C:\Users\Admin\AppData\Local\Temp\d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3392 -
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3416
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4848
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1652
-
-
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1472
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4752
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:688
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2484
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3688
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2948
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3856
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4704
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:220
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4288
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1672
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196KB
MD5cb36ccbd5f4c4991948112a9fe95fba3
SHA1d7c088407eafd663320f883306f29742c305f0cd
SHA256f103f5beedd95b19f5c4c812a4a8e6efea6fb151187ac188e032d44e457544b2
SHA5128706897ad2fe36390c102dd75ebb26caa163b819320ade7e322c2ab0c17037ce0a14bc7633d8625dd87185fb27763fdabd6ea9acf161efd5de31deaff0f0a7a0
-
Filesize
196KB
MD5ba24778a2aeba87659528db0af6dca0e
SHA15f26cbb9be4e7f88bb05d9738e05d2e0ae9ddaa6
SHA2566a6c7fc5e45ed5d9bf1d8b7bfdc475c7b11708f55bca0ff2fcbf2009bba67459
SHA512873d941e62fde2f4a0a58b5e613ee5c800e38c479e262e08cade22321d67d49410be748a13374f0ae7bc198464bc15849ecbc5c69365325397a571d73070daa7
-
Filesize
196KB
MD587a048082bd5ac5725f5e406d83506ee
SHA1d9da3e63a3d4fb35cf3e5b8962f59e9891c20659
SHA256a07b6658c4ebc690857912b474fecbe5f63ad4598e0cf42c5e470ffb93abd80d
SHA51242416b3dc65fd9a083967858544a119e00c33a37e7250fd51c4db9995e9d55a8d0e602211541b6a3fa438907c6d8251c58744caaa3c81f3ad230278ba5c4a9c1
-
Filesize
196KB
MD5bfd927fce2f1be80eebd4428e2c3e980
SHA1275187965ab3fb9c27e5bec226ee1776a92eb0f3
SHA256b648ba1898b9daac4fbf4f1eac7cc6bfc7bb6ee95471e4d3ae2e7fed0040d226
SHA5124e3fb589af6a1bdb3092d285f37d0b043bd3eabd470385668e1322c7e8392689cbac8631181c0bf73e1ce64992a3008d9acf4a42fe2e39b4d42733b104f3ffc3
-
Filesize
196KB
MD580d765bf7ac04c4607cacf0754b73178
SHA1a2a91440be0fd6d4f316553926bcda919032b776
SHA256d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea
SHA512e0a09385f64e0ac27c3d894f7bf4d3ed5f115265c1b23fd7ac2166ec4023402abcca1b3dd499a68ee59b31331ede66fec50331eb88ac7427a820bd0bb7b297b9
-
Filesize
196KB
MD50b6befa0b2f71d21b36dfbb77f5c9b5d
SHA18478c381c2ae47a6f7fdb6a99d20c82abebe2bce
SHA2564a959b568e7d886196a8cc2cb6fcfc68237d0941368d1de82c089275dbe06939
SHA51265b44e7284bd70a862392151702f50562b9c7173724c8531599730b328f561994caf9586fb893576535ea83bbc4a05947cfcfe883451ff85c4bd0764d8f43474
-
Filesize
196KB
MD5c53cc9d54244417c1e39d1da16800719
SHA188303c6204f4f44e1622f6a19e5df4988076475c
SHA256f64ecb1d2278a1f934ba5e0a35606c503d6aa3911108df162a316e907e13a3d2
SHA512788d2b68dd4ddeb99d6f54975aeb6996c2241b1a65dd812bb0ea6c8373793b9561d2823784264454b7e0f4de184ce82b0be3e0e9676df1bc310c118c234b633b
-
Filesize
196KB
MD5264add4cbbac39d4a43e53f1b2a44024
SHA11b0624af52094966a70530f3bc8c707b7ebb7ac7
SHA25633a91d839594579a993a2b95302273ccfad1271023ece8bbe059d21ac17721a1
SHA512c47036e94952f0716bf3cb182fcc8858f3c46809d25de1a2a10692a63a3fe51a679d23e1716c98d00a697faa3c962060eaa87809b3d7852397ee23d2feaa800f
-
Filesize
196KB
MD54104fc40a610b8a94a90fd54f95bac7d
SHA17503f1d46267b335916ca5b324473fe895a28217
SHA2561b5bfafdd46f6b2caefada3389232c574af0eb10a8ac1b2105ed213ff12ba853
SHA512cf86727c7d12802e6f6e7706772011ce845d1bb9f131df55b132faccf777c00750bb1a29620fca90978bc7f6741be45e9a4acf8cc0afadd7adad2115e5f1648a
-
Filesize
196KB
MD5ae19ea68fa7ffce267ed420a1a33164a
SHA1b59539dc7497f63aa3dd8ac961c29b2d39c8b0e2
SHA256ce2217063b1d9f0cd2587a489e6c4eae1988ebc5ede7a8b5a7a45f20ea098e9e
SHA512b64a768aae28cc2fa453bef73eb76d482b5f674b628699e46cf8757cb59373c19340c529aa80e39da6a088d69e2d70aa2a81b076b495e64290d49b58f574c638
-
Filesize
196KB
MD533989d5888f63fe75248ba9238fb25fd
SHA1bea98c9e0bf6ba2a817893d298a6b91c3c91b421
SHA2562c2cebd4f826831e4b70f43dfa58148235455023c90fba7cc4ebbd455b2a6ee2
SHA512e9c0cd0fb7b8663c53f93ca60c9c625c30052897ca77517f188a5fe93df0ad476a3a54b249b7c300fb7bbd2dc7f0eeccc3576ac33b984a5ec662a29656ced8d9