Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 21:57
Static task
static1
Behavioral task
behavioral1
Sample
6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe
Resource
win10v2004-20240226-en
General
-
Target
6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe
-
Size
91KB
-
MD5
0e5817d0795284c455c76f25df817392
-
SHA1
b05e09a68085a4a1cd79d777da7f120b9fc39cb3
-
SHA256
6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf
-
SHA512
0106bba2aacc769989f505cdc3e2bcaec1a9f8b30de3cb623207f3ae7d1255d6e3a6a693c4155b262cf510ad795c4cc1ed40989cb10ea80c2447729154029baa
-
SSDEEP
768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3ImuKm3gRYjXbUeHORIC4q:uT3OA3+KQsxfS42T3OA3+KQsxfS45W
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 14 IoCs
pid Process 3924 xk.exe 4756 IExplorer.exe 4196 WINLOGON.EXE 4864 CSRSS.EXE 3352 SERVICES.EXE 2768 xk.exe 3100 IExplorer.exe 4036 WINLOGON.EXE 536 CSRSS.EXE 1080 SERVICES.EXE 2392 LSASS.EXE 3780 SMSS.EXE 2760 LSASS.EXE 4024 SMSS.EXE -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\desktop.ini 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File created C:\desktop.ini 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened for modification F:\desktop.ini 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File created F:\desktop.ini 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\R: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\S: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\T: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\Y: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\U: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\B: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\M: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\O: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\Q: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\L: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\E: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\G: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\H: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\K: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\V: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\W: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\X: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\I: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\J: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\N: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\P: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell.exe 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File created C:\Windows\SysWOW64\shell.exe 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File created C:\Windows\SysWOW64\Mig2.scr 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File created C:\Windows\SysWOW64\IExplorer.exe 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened for modification C:\Windows\SysWOW64\Mig2.scr 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\xk.exe 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File created C:\Windows\xk.exe 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Modifies Control Panel 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 3924 xk.exe 4756 IExplorer.exe 4196 WINLOGON.EXE 4864 CSRSS.EXE 3352 SERVICES.EXE 2768 xk.exe 3100 IExplorer.exe 4036 WINLOGON.EXE 536 CSRSS.EXE 1080 SERVICES.EXE 2392 LSASS.EXE 3780 SMSS.EXE 2760 LSASS.EXE 4024 SMSS.EXE -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2840 wrote to memory of 3924 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 86 PID 2840 wrote to memory of 3924 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 86 PID 2840 wrote to memory of 3924 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 86 PID 2840 wrote to memory of 4756 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 87 PID 2840 wrote to memory of 4756 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 87 PID 2840 wrote to memory of 4756 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 87 PID 2840 wrote to memory of 4196 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 89 PID 2840 wrote to memory of 4196 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 89 PID 2840 wrote to memory of 4196 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 89 PID 2840 wrote to memory of 4864 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 90 PID 2840 wrote to memory of 4864 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 90 PID 2840 wrote to memory of 4864 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 90 PID 2840 wrote to memory of 3352 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 92 PID 2840 wrote to memory of 3352 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 92 PID 2840 wrote to memory of 3352 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 92 PID 2840 wrote to memory of 2768 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 93 PID 2840 wrote to memory of 2768 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 93 PID 2840 wrote to memory of 2768 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 93 PID 2840 wrote to memory of 3100 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 94 PID 2840 wrote to memory of 3100 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 94 PID 2840 wrote to memory of 3100 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 94 PID 2840 wrote to memory of 4036 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 95 PID 2840 wrote to memory of 4036 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 95 PID 2840 wrote to memory of 4036 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 95 PID 2840 wrote to memory of 536 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 96 PID 2840 wrote to memory of 536 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 96 PID 2840 wrote to memory of 536 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 96 PID 2840 wrote to memory of 1080 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 97 PID 2840 wrote to memory of 1080 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 97 PID 2840 wrote to memory of 1080 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 97 PID 2840 wrote to memory of 2392 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 98 PID 2840 wrote to memory of 2392 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 98 PID 2840 wrote to memory of 2392 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 98 PID 2840 wrote to memory of 3780 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 99 PID 2840 wrote to memory of 3780 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 99 PID 2840 wrote to memory of 3780 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 99 PID 2840 wrote to memory of 2760 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 107 PID 2840 wrote to memory of 2760 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 107 PID 2840 wrote to memory of 2760 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 107 PID 2840 wrote to memory of 4024 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 108 PID 2840 wrote to memory of 4024 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 108 PID 2840 wrote to memory of 4024 2840 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 108 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe"C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2840 -
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3924
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4756
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4196
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4864
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3352
-
-
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3100
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4036
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:536
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1080
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2392
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3780
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2760
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4024
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD51cf48007aad3603d663b61ed3f054f2d
SHA1ba815bd7bb654a0c61e17dca799894bdf2fdfe51
SHA256f31e9d581fef9b19350f4928bce33711a181639dcf4a02225d0b7855360a7a7a
SHA5126772d9aab5a95e82dae6e26d4f2bc2380f938fea1eb971ea2dbeceb5ae05d9465d58199e2d066fed3213cb30c266649db84b197ab124206a683c1999b77047e2
-
Filesize
91KB
MD59acd8d94d61cf6fb2e38ef84657b9596
SHA1a0742558055658a700a446ef37e4f39643c1caf9
SHA256204d060ec8c0eecb27f54728559d1e9c571cb0607d4a0b3a5da0385697bcf8ed
SHA512a0feed0c244dc1f29404ac013cfc084ad6862fb8e8c1e308050cb852e3a977ef4ffbe4dc6f298811e3d2bf5fc608f59768b636c7fbcc860e9d110e9e2fd9c14c
-
Filesize
91KB
MD50722baa786d5beecac91e62503e57161
SHA12406054c7ed57769fffb6b023ff835cf8e2c5bcd
SHA2569f8f52ade7e053020b1728c6a25b3c35583b88fad430b3499f06e240fe516e8d
SHA51265c5e9a7a5a6a8a87f7a89ba84ad0203dc3f388f73679d2ed9439a6adf51a13a645d31971df3e58b9de30421554ba1ed40bdeb1c7c3119e5e44b14c32c9e9ece
-
Filesize
91KB
MD5cb7096fc7a738270bb6232148d6dfb90
SHA1d6014dd50a67d30efb678763f44d46d03a5c8713
SHA256d0bbfa9f927e0c04c1aa1505150e71c3e64c2b108957967cdd14df98bba93cdc
SHA512e9b720765cf162a91d7fb4b5492cb351190afa1581939c4cc656946d0426791101d6c4138f37142f022f85bfb73b5b4294d9c41304b17848edbf4f39a510f985
-
Filesize
91KB
MD54956789ec6d9a856f6c43f04549fb2cb
SHA166dde89760c78f535de20b88abf6ba291504d999
SHA256e59b0e8d975d6c2d50e7899bf33d8b1995cd36714bb17a7b7dcab010836831ac
SHA5120f0a84f65290236e64b0730c211f79922bafe803556b3ae3a1e3d31544735577e2d9abe507f06948fc0f73832aa54988969b5f5f0046c46f308c58700f8bbf6c
-
Filesize
91KB
MD5bced9a829bb680355786ac6ca02386d9
SHA1c6b210f436e1e86740a98d446dbfccc3d84b484e
SHA2569868954b4b8dde34d13565ff3f974d94896626f6c771733e67bfe7f2eaec50dd
SHA5124b703ac89456028b22a178a8673e4acdd585d617027c5231178f841169f895e1341cc3e511f206bb7941e82b15bfd74216c75e28d50460a03a0e707844b2c503
-
Filesize
91KB
MD5a00dfd4e68e05b5a92ee823f32b6f64a
SHA1c2381ce4be9b40f955068daecab784fd952bed55
SHA256bc46f5342c58f4116cc31f5cb7deeda5e0f453bacc5df4e8f77ead392a635975
SHA512c73ca7fdf453e209d36bb9df123d5be7e8c919da9dc1b95960444069066db7461de9fa94806f481d14e37a7a53e9f3dee2d622d0feeef9768c2bbb5b74422829
-
Filesize
91KB
MD5fb86919120183fe4c8288032db5cfe66
SHA1d463d926c42b3a4aec6352d3612d021dfaa23bc4
SHA256eec6303d5a835053dbaa7583d08f152ba3de1041e7d933101422676eef75f22a
SHA5128df9339573f14669a5617dc24f9691a7e756f16f010f31e6f735cb5cab9e0d8ca003fe77305014d258079db7f5952d5cae4534a216737639f4881ab1eb15e6b1
-
Filesize
91KB
MD50e5817d0795284c455c76f25df817392
SHA1b05e09a68085a4a1cd79d777da7f120b9fc39cb3
SHA2566a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf
SHA5120106bba2aacc769989f505cdc3e2bcaec1a9f8b30de3cb623207f3ae7d1255d6e3a6a693c4155b262cf510ad795c4cc1ed40989cb10ea80c2447729154029baa
-
Filesize
91KB
MD5b78047daeb9c0b13e78b55cf11972626
SHA13c669e472fa1ab028f2e920d869a6d10a8dd1e73
SHA256179aac65216f930886850ff105dc2e144d695b5fb9509cb0ed622ab045296810
SHA51289603507373e47769724004e6d1679282397df9112fcbf6bde5c815be6abe044bb85696a0922d109dee6f55c9b5e369c05ddc206022e54d026404783a1928fb2
-
Filesize
91KB
MD588c5986e991f02b9c46cd5ddfa3dd254
SHA1a30aba09a07d249ff9df2fa0d7ea73d4fab26e70
SHA2560914a6c20aa6f74c146925ac4347da26c346678e23f0de06fcd4e8f33d376062
SHA512bf9d60318def65d8db736df262d929f265e2e865c0f0be24b951d81392b9158494a4884dc1fc6c4ce8a3000eb6527ba3688b209f66fe047b5c49a2390c19cd3b
-
Filesize
91KB
MD530124627eb25d19170b4e23873c86f14
SHA1d61e6ea2809984735ae9c411bc6273fddd2f97dd
SHA25698cf5cb7999c7459dbc9d304680c454c6c625abebca94c0440f64dc60eb75cc7
SHA512927f337f33e422ff5133d935c6f68fa236539c7c84682bb9b3b7733f5410b9e97ea6301e7c03c6f9a5644d16d850a669e27839a9f18a98add1f7f193abfd6a51
-
Filesize
91KB
MD5866c63b0d15281a57633aded8c94135a
SHA1a53109c802dc2bf4335c141c12d7d6b09aba0daa
SHA2560d1b7d0461da4f8107387e644e3c46667da9fdbeb3d34416bd9dabf5afeeea7d
SHA512fa9708d1f6ef3b7a27f2c5428e7f5358fd403ca02605202381557c5c8de544e1e2942c48981afd7fdb80b935b7ac69f2b5e1324246ee3c7cb7951e2c6b89db4e