6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Size

45KB
MD5

7920967d423517857017c07dc365efdf
SHA1

518cc93020965e2991b59be996d943df34c9a70d
SHA256

6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e
SHA512

f8b696f5cb80068c6542452b4cd3958d5ec10ae6c304422c840d36bd7b00b4936a036f6467e0f699b1af1fb693c02b6dcb5aa15d225de7788ba4ad5e5cde85ef
SSDEEP

768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nE9:8AwEmBj3EXHn4x+9a9

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe

Detects executables built or packed with MPress PE compressor 22 IoCs

resource	yara_rule
behavioral1/memory/1960-0-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0008000000016d2c-8.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2024-112-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0008000000016d61-111.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2024-115-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0005000000018739-116.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1440-123-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1440-127-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0005000000018787-128.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1856-137-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001878d-138.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/816-145-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/816-149-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000018bf0-150.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2220-159-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2220-162-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0005000000019228-163.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1748-172-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001923b-173.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1960-179-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1032-186-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1960-187-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2024	xk.exe
1440	IExplorer.exe
1856	WINLOGON.EXE
816	CSRSS.EXE
2220	SERVICES.EXE
1748	LSASS.EXE
1032	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
File created	C:\Windows\SysWOW64\shell.exe	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
File created	C:\Windows\SysWOW64\Mig2.scr	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
File created	C:\Windows\xk.exe	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
2024	xk.exe
1440	IExplorer.exe
1856	WINLOGON.EXE
816	CSRSS.EXE
2220	SERVICES.EXE
1748	LSASS.EXE
1032	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2024	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	28
PID 1960 wrote to memory of 2024	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	28
PID 1960 wrote to memory of 2024	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	28
PID 1960 wrote to memory of 2024	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	28
PID 1960 wrote to memory of 1440	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	29
PID 1960 wrote to memory of 1440	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	29
PID 1960 wrote to memory of 1440	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	29
PID 1960 wrote to memory of 1440	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	29
PID 1960 wrote to memory of 1856	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	30
PID 1960 wrote to memory of 1856	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	30
PID 1960 wrote to memory of 1856	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	30
PID 1960 wrote to memory of 1856	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	30
PID 1960 wrote to memory of 816	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	31
PID 1960 wrote to memory of 816	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	31
PID 1960 wrote to memory of 816	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	31
PID 1960 wrote to memory of 816	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	31
PID 1960 wrote to memory of 2220	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	32
PID 1960 wrote to memory of 2220	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	32
PID 1960 wrote to memory of 2220	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	32
PID 1960 wrote to memory of 2220	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	32
PID 1960 wrote to memory of 1748	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	33
PID 1960 wrote to memory of 1748	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	33
PID 1960 wrote to memory of 1748	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	33
PID 1960 wrote to memory of 1748	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	33
PID 1960 wrote to memory of 1032	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	34
PID 1960 wrote to memory of 1032	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	34
PID 1960 wrote to memory of 1032	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	34
PID 1960 wrote to memory of 1032	1960	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe

C:\Users\Admin\AppData\Local\Temp\6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe
"C:\Users\Admin\AppData\Local\Temp\6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1960
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2024
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1440
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1856
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:816
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2220
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1748
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
45KB

MD5
7920967d423517857017c07dc365efdf

SHA1
518cc93020965e2991b59be996d943df34c9a70d

SHA256
6b8d8f703944a1c92ab0c5f79d024acb9675b78f61206fb3cdc15f3ab1bbf41e

SHA512
f8b696f5cb80068c6542452b4cd3958d5ec10ae6c304422c840d36bd7b00b4936a036f6467e0f699b1af1fb693c02b6dcb5aa15d225de7788ba4ad5e5cde85ef

Download Submit
C:\Windows\xk.exe

Filesize
45KB

MD5
43a049e72c171991d854d30dd3ad9826

SHA1
64c8adbc10bd1e8d7c1f89d14b95d0acb6c6bd54

SHA256
0ff836ef4aebfd44375be06f4c43693d8ea68969e8a8ee74bd0630b8bc315294

SHA512
2237a9c6c368f588191db9f9fe7519f511188a91c630840aca0edf6fa8323917fb1a2b4167935a8f7f4b898fa9ba9c5bc80759611f56f88b596b4ae21f6a86fc

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
45KB

MD5
8fdd99249f8decca2fa0339450c66650

SHA1
ddaef4cff52a5db6a290983a534d731244de378c

SHA256
3deb4d3d60917bcac28115466b48fa5bdb725994ae97303c29aec0a0d40de4a9

SHA512
7044ba3d8dbffe3322091997371f92a1cbe4e291a35cc05729a101afeeeeb3a55bb092c567b5f785eb4ef3fc0f9318724139b1437f7f388f7c179fe2a51447f1

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
45KB

MD5
27bb2879259970feca5e6d5f6c6268db

SHA1
79d96b85d385e14f03b3fa3db8ca836bb392a9a0

SHA256
37cdf98a4768e87445a3a6694f03c77535af44f0caefca14f5605bebfa3bacd2

SHA512
8f1ab2a45e3065238ef7892cb202a46cccd051d7df826989994ee40d55d0d55e2c79d2bc45d6a68df994663206c0201f18962dafe0babf6662f9198c7e7b9771

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
45KB

MD5
7f85f25ac902977fc17c8c5d8a0bd1db

SHA1
18f0dfc06edc95e095971c8a6d0f6eaaf9203d19

SHA256
8cdcf39c33799d7ce6d430f68a71589bd0b62058a2a7a3b63d8443061bc710ba

SHA512
57aa4cae79b33101aff3352557ad5dcd851ca0e5e6ac9898de9a8c5309a4d9b7ed3e4b32829acec092f95484f1236804491af401933256cc0294f1fa146c0788

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
45KB

MD5
d911e1f0fcbfebe8c011e310f3a3eaad

SHA1
c06216a4ca5b45cc3f3459ca096ce01ef02e04cf

SHA256
0e3042c14dbbcb64236f6917c04a628883d1e4089869232fd7842cd21e610fa5

SHA512
1a7c43cd10e8507d8d95a278f671a5ee9c73e4d52e6d9e85b526db61e7ad7ce91748efc3af5ef60ba38b0d8d77e8d6f8e18695aaccb03a175ec33cec35db4bbc

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
45KB

MD5
3e4fac3b93ef5a5500fb38b40460f21a

SHA1
6c41fbf0194fcc6b8bfb96ed3fce6bee390e0fb4

SHA256
1480b766a33a473e65fe08ff1c5af376bfbc51a4fcacb20e73c964f2defdbcca

SHA512
408ab57b9f28b9eeee0fdc6b8163bdb0f034e61b6dadbf95bc3d6f34adfa13854db07cb4bb7dd21c84e2ff2dbe37a16ef7f869e3d5fda9a0f7a33669e2715b7e

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
45KB

MD5
9d3830e19df405c3405618ccbed092ea

SHA1
20218d8a150fd0846ae024ebe36e3c160ef6197e

SHA256
10fff882bf90ebb63023b4f3b678da98574aba703894d3a980ec295173d950bf

SHA512
6655eb37fc9d17b12f06c25e64d5a247fcf374d74c2aa4e57b490141f3225f76040c72567208b784bd3c3bdd23915ba5f7217127d4da64da139c894169d4833a

Download Submit
memory/816-145-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/816-149-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1032-186-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1440-123-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1440-127-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1748-172-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1856-137-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1960-157-0x0000000002570000-0x000000000259E000-memory.dmp

Filesize
184KB

Download
memory/1960-158-0x0000000002570000-0x000000000259E000-memory.dmp

Filesize
184KB

Download
memory/1960-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1960-109-0x0000000002570000-0x000000000259E000-memory.dmp

Filesize
184KB

Download
memory/1960-110-0x0000000002570000-0x000000000259E000-memory.dmp

Filesize
184KB

Download
memory/1960-179-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1960-181-0x0000000002570000-0x000000000259E000-memory.dmp

Filesize
184KB

Download
memory/1960-187-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2024-115-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2024-112-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2220-159-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2220-162-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download