Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 17:47
Behavioral task
behavioral1
Sample
194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Resource
win10v2004-20240226-en
General
-
Target
194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
-
Size
45KB
-
MD5
270d7de5001bf0d43984acf26637694d
-
SHA1
3648776149b5fd2408e9bb9eef9eac5da096e034
-
SHA256
194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e
-
SHA512
2268ff8fef0b42cbbcc0cabada31e3cc64387b9128055d0d3491734dcdec3b18caa4463626de63ce52cf35c4c22eed2bd18810b8fda61ec82550ac24608bc758
-
SSDEEP
768:kSxam3Usjr3RT594UPS8GGCMDDxW738HbFtnbcuyD7UVOQI5noC:kRsjd3GR2Dxy387Lnouy8VTC
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe -
UPX dump on OEP (original entry point) 33 IoCs
resource yara_rule behavioral2/memory/5000-0-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/files/0x0007000000023224-8.dat UPX behavioral2/files/0x0007000000023228-106.dat UPX behavioral2/files/0x000700000002322c-111.dat UPX behavioral2/memory/3004-112-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/memory/1148-114-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/memory/1148-117-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/files/0x000700000002322e-119.dat UPX behavioral2/memory/536-123-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/files/0x000700000002322f-125.dat UPX behavioral2/files/0x0007000000023230-130.dat UPX behavioral2/memory/1636-131-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/memory/3220-136-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/files/0x0007000000023228-184.dat UPX behavioral2/files/0x000700000002322c-188.dat UPX behavioral2/memory/3584-189-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/memory/3804-192-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/files/0x000700000002322e-194.dat UPX behavioral2/files/0x000700000002322f-199.dat UPX behavioral2/memory/3800-197-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/memory/2376-200-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/memory/2376-203-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/files/0x0007000000023230-205.dat UPX behavioral2/memory/5000-206-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/memory/2964-209-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/files/0x0007000000023231-211.dat UPX behavioral2/memory/2128-215-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/files/0x0007000000023232-217.dat UPX behavioral2/memory/4016-221-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/memory/5000-247-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/memory/3428-252-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/memory/2576-256-0x0000000000400000-0x000000000042F000-memory.dmp UPX behavioral2/memory/5000-257-0x0000000000400000-0x000000000042F000-memory.dmp UPX -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 14 IoCs
pid Process 3004 xk.exe 1148 IExplorer.exe 536 WINLOGON.EXE 1636 CSRSS.EXE 3220 SERVICES.EXE 3584 xk.exe 3804 IExplorer.exe 3800 WINLOGON.EXE 2376 CSRSS.EXE 2964 SERVICES.EXE 2128 LSASS.EXE 4016 SMSS.EXE 3428 LSASS.EXE 2576 SMSS.EXE -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe -
resource yara_rule behavioral2/memory/5000-0-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x0007000000023224-8.dat upx behavioral2/files/0x0007000000023228-106.dat upx behavioral2/files/0x000700000002322c-111.dat upx behavioral2/memory/3004-112-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/1148-114-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/1148-117-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x000700000002322e-119.dat upx behavioral2/memory/536-123-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x000700000002322f-125.dat upx behavioral2/files/0x0007000000023230-130.dat upx behavioral2/memory/1636-131-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/3220-136-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x0007000000023228-184.dat upx behavioral2/files/0x000700000002322c-188.dat upx behavioral2/memory/3584-189-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/3804-192-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x000700000002322e-194.dat upx behavioral2/files/0x000700000002322f-199.dat upx behavioral2/memory/3800-197-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/2376-200-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/2376-203-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x0007000000023230-205.dat upx behavioral2/memory/5000-206-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/2964-209-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x0007000000023231-211.dat upx behavioral2/memory/2128-215-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/files/0x0007000000023232-217.dat upx behavioral2/memory/4016-221-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/5000-247-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/3428-252-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/2576-256-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral2/memory/5000-257-0x0000000000400000-0x000000000042F000-memory.dmp upx -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification F:\desktop.ini 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File created F:\desktop.ini 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened for modification C:\desktop.ini 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File created C:\desktop.ini 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\P: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\S: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\X: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\U: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\Y: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\I: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\L: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\N: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\O: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\R: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\T: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\Z: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\G: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\H: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\J: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\K: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\W: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\B: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\M: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\Q: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened (read-only) \??\V: 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\IExplorer.exe 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened for modification C:\Windows\SysWOW64\Mig2.scr 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File opened for modification C:\Windows\SysWOW64\shell.exe 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File created C:\Windows\SysWOW64\shell.exe 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File created C:\Windows\SysWOW64\Mig2.scr 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File created C:\Windows\SysWOW64\IExplorer.exe 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\xk.exe 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe File created C:\Windows\xk.exe 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe -
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\ 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 3004 xk.exe 1148 IExplorer.exe 536 WINLOGON.EXE 1636 CSRSS.EXE 3220 SERVICES.EXE 3584 xk.exe 3804 IExplorer.exe 3800 WINLOGON.EXE 2376 CSRSS.EXE 2964 SERVICES.EXE 2128 LSASS.EXE 4016 SMSS.EXE 3428 LSASS.EXE 2576 SMSS.EXE -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 5000 wrote to memory of 3004 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 88 PID 5000 wrote to memory of 3004 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 88 PID 5000 wrote to memory of 3004 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 88 PID 5000 wrote to memory of 1148 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 89 PID 5000 wrote to memory of 1148 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 89 PID 5000 wrote to memory of 1148 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 89 PID 5000 wrote to memory of 536 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 90 PID 5000 wrote to memory of 536 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 90 PID 5000 wrote to memory of 536 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 90 PID 5000 wrote to memory of 1636 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 91 PID 5000 wrote to memory of 1636 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 91 PID 5000 wrote to memory of 1636 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 91 PID 5000 wrote to memory of 3220 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 92 PID 5000 wrote to memory of 3220 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 92 PID 5000 wrote to memory of 3220 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 92 PID 5000 wrote to memory of 3584 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 93 PID 5000 wrote to memory of 3584 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 93 PID 5000 wrote to memory of 3584 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 93 PID 5000 wrote to memory of 3804 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 94 PID 5000 wrote to memory of 3804 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 94 PID 5000 wrote to memory of 3804 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 94 PID 5000 wrote to memory of 3800 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 95 PID 5000 wrote to memory of 3800 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 95 PID 5000 wrote to memory of 3800 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 95 PID 5000 wrote to memory of 2376 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 96 PID 5000 wrote to memory of 2376 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 96 PID 5000 wrote to memory of 2376 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 96 PID 5000 wrote to memory of 2964 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 97 PID 5000 wrote to memory of 2964 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 97 PID 5000 wrote to memory of 2964 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 97 PID 5000 wrote to memory of 2128 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 99 PID 5000 wrote to memory of 2128 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 99 PID 5000 wrote to memory of 2128 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 99 PID 5000 wrote to memory of 4016 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 100 PID 5000 wrote to memory of 4016 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 100 PID 5000 wrote to memory of 4016 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 100 PID 5000 wrote to memory of 3428 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 110 PID 5000 wrote to memory of 3428 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 110 PID 5000 wrote to memory of 3428 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 110 PID 5000 wrote to memory of 2576 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 111 PID 5000 wrote to memory of 2576 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 111 PID 5000 wrote to memory of 2576 5000 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe 111 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe"C:\Users\Admin\AppData\Local\Temp\194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5000 -
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3004
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1148
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:536
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1636
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3220
-
-
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3584
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3804
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3800
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2376
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2964
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2128
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4016
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3428
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2576
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5f5f0b2d8f7def93777d833b4a6c44ced
SHA1cd05f8aaca09a8b4174fd3443f3f96869c937761
SHA256de532d17e9c232c6c66b6cfd7bb2474226dc3bd07d90e9c67cb9039f31a83ceb
SHA5122a7f72fc1d6593dc43e93b8d5720d73cdee79ac33349f51a244257a95cfd155254bd21312ef57ddb29c13865714f27e447f3f8ba89d5b7e0efab21ff9a124417
-
Filesize
45KB
MD5667c2301ff47cfacd47fdc6c1da8a12f
SHA1e8ccff577a4f06c3b32e4a0249b9818524f09e42
SHA2561997f7457808108f20789454985bfdabcbb9376d8c53364f7dc47fd0b025ceee
SHA512241f160a4fe78be635d31c230203b5b74e270d63e638a8071ad8a2ac05c482b467d27e537f2721bc8ab5062242f45698545aca711df310c4861835e7f3c81c17
-
Filesize
45KB
MD5dd0b6b1294997d60640fdec2dce59e01
SHA143b454d7f00ccf1a4027482edb7694175a1793f6
SHA2561c65f8e5f34a48392c516f36280d60085a4579735c16076e5f3995ffbaa2b1bb
SHA51276d7d0166aee54c0270e17d27a20f0a456702dc28f9a42eb4b6406391329eb15913f4b641e3c396c70081d7f3e3bbf082e96bfb6fb72e7fd3d8b8d88bc0cf69f
-
Filesize
45KB
MD5e235f7736e00d67d4783d4e7865abf15
SHA19302315deb10092c887cf039245fef8af935403d
SHA2567fbcba09c110a83697af7e80cf5eb0ee1c26132a2bdd7ee4e22c436600b56912
SHA512a6eef963f96c6530a57ff107819315477d5ff7b2084b0c226c6be42a7aadf7668689abc63422e23dd04c2704c034ab48706f169c96d7ae5502a67263873f735e
-
Filesize
45KB
MD5e6713f4db7ddb80ad17db8c49c703353
SHA1326f36af0bee25b2b808e957ad78b85f291882a7
SHA2562cfa3b634ad1f83821f2a27ebf1c03e8f46e23af242dd55d5a914a8e783339f8
SHA512e24b599266850a7acb481fc8d91d22e190f471354f604fe8393c29330ad65d9409c03756c65c7ccf2089418bc06e7467205d3b2aa3944c623a473086dc48d003
-
Filesize
45KB
MD578a5e4e8963c6a13dd64522f238a81cc
SHA12b113cab08c692e2ef8023e5f5e1043d5207cb48
SHA25607f447f5e44279cc9e4ed87c17356c7c4b745b87d82b3a7e7c737c30e06208f1
SHA512eb7231bfbea018c5cfc406684ec6aa8b34d70772091ce2ad9857458bfc4afb965a057dfea023b7fb3c8e95a466605777200145167c56739e0ff7b3470c3e9484
-
Filesize
45KB
MD5b1e5945c8e39f8e2d843d597f6a669da
SHA17b7cbf8d69e96883fde4cfb3ad06f2f4c7946ffa
SHA2560e7d479782aa2c9f05ebbcf2f0912bc6ae0d75ce4a225481d2035624f378f53d
SHA512d6b0459459b02a6439c09ef817096756e8869d965160073b8e8f517004a46142d9675b4e1195065029e732cfffbf907f81463933d839439406735c37cba2251a
-
Filesize
45KB
MD5b8ab07210ff5437f105c6c82cd3bd78f
SHA1ab5d6c99aa966bb992e37fa8ee57a3dcbd4df3a7
SHA25617fd18ce4c23b7d3542b4296a4a2414dfc84aab8d22962adca703dda91cd1d55
SHA5122023b1ce8d82dfe9dd87ea534103b3b31157eb61de0c77ceb0f4a322e1b163b8abf9f5a4b5cbc79a453c419fcc368b75c93d8f959f371edb9736d9a3ee191f35
-
Filesize
45KB
MD5270d7de5001bf0d43984acf26637694d
SHA13648776149b5fd2408e9bb9eef9eac5da096e034
SHA256194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e
SHA5122268ff8fef0b42cbbcc0cabada31e3cc64387b9128055d0d3491734dcdec3b18caa4463626de63ce52cf35c4c22eed2bd18810b8fda61ec82550ac24608bc758
-
Filesize
45KB
MD5daf6018e8ee62f0a018bcda2507d580a
SHA16ac524899f36d9a676f9a3ffe32017ee2f93500d
SHA25664289aa8ad5f8b81c8a1c3c497243729bd41eb90108545f4a3571088d9e18751
SHA5123ce7b8b635f1d69294ee9e7aaa1455cd7b85f3b2a6bfa51d3d8c0147096dcfd7e131b00057d4e0bbe9dc2a1dd74d493ec5db4fbb711e0273668dccf5772c0fc2
-
Filesize
45KB
MD5f43b682fced6f63da05ddde9684fe5af
SHA12888e84d29238591c7c22578a03cd4f07939451d
SHA25680033b413e9701d4d73497e3c5316d1bb81f164e16cd6b0024e3270371801c1e
SHA512f5bf89c3b263ecb0726380615d85d65f632a11a7c5d3737f40f3446bdace681097343292a37d7dcf971a4e1002b472387462b84787a949c696258c16ce5e4e9d
-
Filesize
45KB
MD54a2ff7f3d8b3cdc94ca5aa9b165d13cf
SHA1a7ed631f2d71c64dc64579425962edb83052afed
SHA256a9f67ec39319b42802e9309df3d386ab2c915968693de31751720a04e40ee4f2
SHA512930c45f626e167e92eb04d72f1e520d013895386391783d9a7a5c9d76e3d6f3e366b2c1e8dc992df0c5510fd44684e6fbf4e33d8ac248581f550fd1f5bdd920a
-
Filesize
45KB
MD54a1c433679b2b2e7de3b54a7192f320a
SHA16c1abee3b38c8f5bd38adcd269664e262153b7fd
SHA2566e7c68fbb5a1126b3a386784b042dcd6889232df8e1da3ded6987585f1ce8e55
SHA5124477f3981b8332048a7f6419aefbf163058bb7fd660a153da922f17e941487a21975696df4c5b4302fe8c9669d7f0d9ef2a49cceb7c072b81d297c7f338fe758