194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Size

45KB
MD5

270d7de5001bf0d43984acf26637694d
SHA1

3648776149b5fd2408e9bb9eef9eac5da096e034
SHA256

194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e
SHA512

2268ff8fef0b42cbbcc0cabada31e3cc64387b9128055d0d3491734dcdec3b18caa4463626de63ce52cf35c4c22eed2bd18810b8fda61ec82550ac24608bc758
SSDEEP

768:kSxam3Usjr3RT594UPS8GGCMDDxW738HbFtnbcuyD7UVOQI5noC:kRsjd3GR2Dxy387Lnouy8VTC

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe

UPX dump on OEP (original entry point) 22 IoCs

resource	yara_rule
behavioral1/memory/1736-0-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0007000000014b4c-8.dat	UPX
behavioral1/files/0x000900000001535e-108.dat	UPX
behavioral1/memory/1736-109-0x0000000002690000-0x00000000026BF000-memory.dmp	UPX
behavioral1/memory/1928-113-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/1928-115-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000015d4e-114.dat	UPX
behavioral1/memory/1736-116-0x0000000002690000-0x00000000026BF000-memory.dmp	UPX
behavioral1/memory/1668-125-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000015d5f-126.dat	UPX
behavioral1/memory/1460-137-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/1460-138-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000015d6b-139.dat	UPX
behavioral1/memory/1056-148-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/2204-158-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000015d87-159.dat	UPX
behavioral1/memory/1736-166-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/1728-168-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000015d93-170.dat	UPX
behavioral1/memory/1728-171-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/1736-181-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/2044-180-0x0000000000400000-0x000000000042F000-memory.dmp	UPX

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
1928	xk.exe
1668	IExplorer.exe
1460	WINLOGON.EXE
1056	CSRSS.EXE
2204	SERVICES.EXE
1728	LSASS.EXE
2044	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1736-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000014b4c-8.dat	upx
behavioral1/files/0x000900000001535e-108.dat	upx
behavioral1/memory/1736-109-0x0000000002690000-0x00000000026BF000-memory.dmp	upx
behavioral1/memory/1928-113-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1928-115-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015d4e-114.dat	upx
behavioral1/memory/1736-116-0x0000000002690000-0x00000000026BF000-memory.dmp	upx
behavioral1/memory/1668-125-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015d5f-126.dat	upx
behavioral1/memory/1460-137-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1460-138-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015d6b-139.dat	upx
behavioral1/memory/1056-148-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2204-158-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015d87-159.dat	upx
behavioral1/memory/1736-166-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1728-168-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015d93-170.dat	upx
behavioral1/memory/1728-171-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1736-181-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2044-180-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
File created	C:\Windows\SysWOW64\shell.exe	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
File created	C:\Windows\SysWOW64\Mig2.scr	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
File created	C:\Windows\xk.exe	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
1928	xk.exe
1668	IExplorer.exe
1460	WINLOGON.EXE
1056	CSRSS.EXE
2204	SERVICES.EXE
1728	LSASS.EXE
2044	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1928	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	28
PID 1736 wrote to memory of 1928	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	28
PID 1736 wrote to memory of 1928	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	28
PID 1736 wrote to memory of 1928	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	28
PID 1736 wrote to memory of 1668	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	29
PID 1736 wrote to memory of 1668	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	29
PID 1736 wrote to memory of 1668	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	29
PID 1736 wrote to memory of 1668	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	29
PID 1736 wrote to memory of 1460	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	30
PID 1736 wrote to memory of 1460	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	30
PID 1736 wrote to memory of 1460	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	30
PID 1736 wrote to memory of 1460	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	30
PID 1736 wrote to memory of 1056	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	31
PID 1736 wrote to memory of 1056	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	31
PID 1736 wrote to memory of 1056	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	31
PID 1736 wrote to memory of 1056	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	31
PID 1736 wrote to memory of 2204	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	32
PID 1736 wrote to memory of 2204	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	32
PID 1736 wrote to memory of 2204	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	32
PID 1736 wrote to memory of 2204	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	32
PID 1736 wrote to memory of 1728	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	33
PID 1736 wrote to memory of 1728	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	33
PID 1736 wrote to memory of 1728	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	33
PID 1736 wrote to memory of 1728	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	33
PID 1736 wrote to memory of 2044	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	34
PID 1736 wrote to memory of 2044	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	34
PID 1736 wrote to memory of 2044	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	34
PID 1736 wrote to memory of 2044	1736	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe

C:\Users\Admin\AppData\Local\Temp\194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
"C:\Users\Admin\AppData\Local\Temp\194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1736
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1928
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1668
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1460
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1056
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2204
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1728
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\services.exe

Filesize
45KB

MD5
270d7de5001bf0d43984acf26637694d

SHA1
3648776149b5fd2408e9bb9eef9eac5da096e034

SHA256
194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e

SHA512
2268ff8fef0b42cbbcc0cabada31e3cc64387b9128055d0d3491734dcdec3b18caa4463626de63ce52cf35c4c22eed2bd18810b8fda61ec82550ac24608bc758

Download Submit
C:\Windows\xk.exe

Filesize
45KB

MD5
8266ad40c39c91a6dfeb0ee1e5ddd273

SHA1
aee591e12c184db5c27f32d073f1b1d0fae28fbd

SHA256
e37efd04214a2af26bb3980feea33ff95246595c40d7f1f468edbc197a9122d3

SHA512
712a071407e0129515d9ba630cfcd4008d9e6f8bc4df409e8d5753753205ca17714ff5997f5b01c3443c38a35953f3c4ceb8cb86e5c41981f9811a4a687f0c8d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
45KB

MD5
5c02c0d889bab778ffc4dd197d255842

SHA1
7874760fddff6c08cf5c19e8c5286c5d5c482229

SHA256
f648d2782cf60ed2eead098f81f6f490ab0209f4cde331eaf24138cb6f9f0a18

SHA512
2e9922e7000d4d381d68424f0090a9f9b1421e4be31e4919316230eb52124b5fafe06c538d91cf9ef3bf02f82bff46e7485d58c3c17b7dbb8c1ac53dab3d3960

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
45KB

MD5
7ca7d6fe83e211d2f3d4f5880da0aa83

SHA1
12f5ca91a42bb37a6e1b9edba28ae49818544f3a

SHA256
8c40f9bd474651025edc08983e386d2e0ee71893186e2d7f5bcef1c320f4dc21

SHA512
d023a309dfe190ed7a097695bf392f4c4da973081be0f9aee24ed2f3ee1886e4eae87dd0f77d500be9c95f7d3c80db3a5446a7d02c557090adc646e844bb2c6c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
45KB

MD5
7e4244fb656f6a8e4043bfb01c7f1032

SHA1
5fc205ee818ab8a5ccf215e8915e608f07996dc3

SHA256
1c2e46abbac88c3f15c2b20a7d0e4677364e0c5ffe01bf7a5a86a213397406e0

SHA512
afd5461fbe9a253ab2a26afd856738f87cdda21ce30b82e7a97557a64cf38904f0d0a247beba64a1c170de87f59fc12884b9b572b877f60376bcfe29d99b0964

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
45KB

MD5
73456c180e203fe83e93035c7c97f63f

SHA1
c8acbe2991b66e71bb4f1361cdf96b64ac7c0615

SHA256
993af5e4701349a737252ab9ce595a6727dcb054e75577c7bb2f6b563724a8d6

SHA512
0ec64759fba94a330495c9721e0966f9427d22244d4072c0fe8b7a77a076697d73b591701ad1c10693a1e5748dfb1a98fe1ffb4bd2d0474bb2e257d6b29b5064

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
45KB

MD5
aad44101ee0cca32a2c0f1c5a7db1c6f

SHA1
7ce73851853ca29ac9c1311eb252d6cf1f93dd76

SHA256
226342155457b507e7d7f118ddc6ac0f21c5ab96a8f32e6b42da034eb14e8a15

SHA512
ecb8baff20fb4d3840c6ace735d02dc275ea1e1e6e8ee92afaea72b1523398212b01663b7f734419f29c5f9b5f75700f3d2bb1fc81566891a4ef27d17810da2e

Download Submit
memory/1056-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1460-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1460-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1668-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1728-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1728-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-136-0x0000000002690000-0x00000000026BF000-memory.dmp

Filesize
188KB

Download
memory/1736-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-133-0x0000000002690000-0x00000000026BF000-memory.dmp

Filesize
188KB

Download
memory/1736-116-0x0000000002690000-0x00000000026BF000-memory.dmp

Filesize
188KB

Download
memory/1736-166-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-111-0x0000000002690000-0x00000000026BF000-memory.dmp

Filesize
188KB

Download
memory/1736-109-0x0000000002690000-0x00000000026BF000-memory.dmp

Filesize
188KB

Download
memory/1736-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1928-113-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-158-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download