b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 02:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
Size

170KB
MD5

a1d7b49e3c8b96961cccfe996c2cf22e
SHA1

966ca82a6c47a1672451ec8ab1499ef4e303452e
SHA256

b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d
SHA512

2b0c70c56d5838ef3f27fedada440b0454cd8a9cc78f6da2c451df5ec987d3e16fc175545c79ebddbcdcc9027a364e5b089c6d9af2ee3e0178b9dd239f344adb
SSDEEP

3072:wCcKpzOpm3uKQCDWeyDKVPy7THK4WZZzUR9Lr0lQb3:h7zOSuccuVqfp2+Se

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\\QJP4C2I.exe\""	system.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Sets file execution options in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000233b9-155.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe

Executes dropped EXE 5 IoCs

pid	Process
2268	service.exe
2020	smss.exe
2648	system.exe
5096	winlogon.exe
1992	lsass.exe

Loads dropped DLL 1 IoCs

pid	Process
2648	system.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000233b9-155.dat	upx
behavioral2/memory/2648-327-0x0000000010000000-0x0000000010075000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sNT5H7M0 = "C:\\Windows\\system32\\SNM1T6OPTF8Y0X.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0C2ITF = "C:\\Windows\\KMW5H7M.exe"	system.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\Y:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\V:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\R:	service.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\LDE6H6R	service.exe
File opened for modification	C:\Windows\SysWOW64\SNM1T6OPTF8Y0X.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\LDE6H6R\SNM1T6O.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\SNM1T6OPTF8Y0X.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\TSW3E2O.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\LDE6H6R\SNM1T6O.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\SNM1T6OPTF8Y0X.exe	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\LDE6H6R\SNM1T6O.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
File opened for modification	C:\Windows\SysWOW64\TSW3E2O.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\SNM1T6OPTF8Y0X.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\LDE6H6R	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
File opened for modification	C:\Windows\SysWOW64\LDE6H6R	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\TSW3E2O.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\SNM1T6OPTF8Y0X.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\LDE6H6R\SNM1T6O.cmd	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\LDE6H6R\SNM1T6O.cmd	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\LDE6H6R\SNM1T6O.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\TSW3E2O.exe	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
File opened for modification	C:\Windows\SysWOW64\LDE6H6R	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\TSW3E2O.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\TSW3E2O.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\LDE6H6R	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\SNM1T6OPTF8Y0X.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\LDE6H6R	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\cypreg.dll	smss.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	winlogon.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\YEY3F1V.com	system.exe
File created	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\zia01060	system.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	smss.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\QJP4C2I.exe	smss.exe
File opened for modification	C:\Windows\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\PTF8Y0X.exe	service.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}	smss.exe
File opened for modification	C:\Windows\moonlight.dll	winlogon.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	smss.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	service.exe
File opened for modification	C:\Windows\lsass.exe	system.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	lsass.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	service.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	winlogon.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\YEY3F1V.com	service.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	system.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}	system.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\QJP4C2I.exe	service.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	system.exe
File opened for modification	C:\Windows\PTF8Y0X.exe	winlogon.exe
File opened for modification	C:\Windows\cypreg.dll	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
File opened for modification	C:\Windows\KMW5H7M.exe	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	service.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	winlogon.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	system.exe
File opened for modification	C:\Windows\moonlight.dll	lsass.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}	lsass.exe
File opened for modification	C:\Windows\moonlight.dll	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	smss.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	system.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\YEY3F1V.com	lsass.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	service.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	system.exe
File opened for modification	C:\Windows\PTF8Y0X.exe	lsass.exe
File opened for modification	C:\Windows\PTF8Y0X.exe	system.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	lsass.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip	system.exe
File opened for modification	C:\Windows\lsass.exe	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\YEY3F1V.com	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
File opened for modification	C:\Windows\lsass.exe	service.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	winlogon.exe
File opened for modification	C:\Windows\KMW5H7M.exe	system.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
File opened for modification	C:\Windows\PTF8Y0X.exe	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\cypreg.dll	winlogon.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
File opened for modification	C:\Windows\moonlight.dll	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	lsass.exe
File created	C:\Windows\MooNlight.R.txt	smss.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	service.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\YEY3F1V.com	winlogon.exe
File opened for modification	C:\Windows\cypreg.dll	system.exe
File opened for modification	C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	2648	system.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2376	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
2268	service.exe
2020	smss.exe
2648	system.exe
5096	winlogon.exe
1992	lsass.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2268	2376	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe	83
PID 2376 wrote to memory of 2268	2376	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe	83
PID 2376 wrote to memory of 2268	2376	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe	83
PID 2376 wrote to memory of 2020	2376	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe	84
PID 2376 wrote to memory of 2020	2376	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe	84
PID 2376 wrote to memory of 2020	2376	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe	84
PID 2376 wrote to memory of 2648	2376	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe	85
PID 2376 wrote to memory of 2648	2376	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe	85
PID 2376 wrote to memory of 2648	2376	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe	85
PID 2376 wrote to memory of 5096	2376	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe	86
PID 2376 wrote to memory of 5096	2376	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe	86
PID 2376 wrote to memory of 5096	2376	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe	86
PID 2376 wrote to memory of 1992	2376	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe	87
PID 2376 wrote to memory of 1992	2376	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe	87
PID 2376 wrote to memory of 1992	2376	b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe	87

C:\Users\Admin\AppData\Local\Temp\b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe
"C:\Users\Admin\AppData\Local\Temp\b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
  "C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2268
- C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
  "C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2020
- C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
  "C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Sets file execution options in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2648
- C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
  "C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:5096
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Vivid.exe

Filesize
170KB

MD5
83bf60891d2a7509dd0c71a6d76577f5

SHA1
f98aabc47fc39520a7a2a2e81fc75aa697c1cbf7

SHA256
6c283553b52e674d0389be19b4e44a7b3ac31353a279092f593e0b1a52e9e83c

SHA512
a9fc368a138ab6fd2cb320e585e634f5a32da2c61f911b8c5f61d4c587dd895300993056217fad715f6de8d5360fadd283adf75aec9ac8a8ed0387a2d3480b97

Download Submit
C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\QJP4C2I.exe

Filesize
170KB

MD5
a1d7b49e3c8b96961cccfe996c2cf22e

SHA1
966ca82a6c47a1672451ec8ab1499ef4e303452e

SHA256
b829330b25634a2063fdcdadc30aa6733295fcae3a9ba46fe91c887e21b24f6d

SHA512
2b0c70c56d5838ef3f27fedada440b0454cd8a9cc78f6da2c451df5ec987d3e16fc175545c79ebddbcdcc9027a364e5b089c6d9af2ee3e0178b9dd239f344adb

Download Submit
C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\QJP4C2I.exe

Filesize
170KB

MD5
ed37911fcad67ed7e40ad1409b5cdea7

SHA1
e485627593acb2e55211e4fd19f9f87f0366f9e1

SHA256
5d9c36759f07e7fab927d6a39d331f6417fb21db27e8b3ed6327d4b90e4a94a8

SHA512
b97a7a2657b7e87a94229d992fe96fb63e85e85c660247a7a23483a9285f8b167a50458735ec4b117930e1c79b73b0190fc1d023adc7ae3e95d8ef7aa409b478

Download Submit
C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\YEY3F1V.com

Filesize
170KB

MD5
55976b8a3818534021f6d3e5ee4091aa

SHA1
b44189829efb43ce0ad93a4f9a345601b73f0bb3

SHA256
90e979b8652ca081cecd10ff2b009bd37cd498237f752912442583576923fe1a

SHA512
9b6c9b867b250c700fea4972d89ae2ee852636c7b3ca6f245d0234ce024548fbf9100a49c88f50b986f1abc9677c323a61792fcfa951245a50c1aa5928e40970

Download Submit
C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\YEY3F1V.com

Filesize
170KB

MD5
3e75583c015b781d3c72f601bcc43d8d

SHA1
372316d46dabb6ec66a551291dd65b2b5905e3b4

SHA256
6e4b216e6de38da1a136198ac787d225066db7f7553d606a008a84b4db8505de

SHA512
6ca46dd09f4fb1d848668aae0ee6f85a0dcd4e623098f7cec9c7abd6e8548eebea1e94f9c2040d40cb814d40df3f48dfcdde17722316f24d523c9ccd3f87aa1f

Download Submit
C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd

Filesize
170KB

MD5
181bab66ffd473856ef01800302c39b0

SHA1
ade3ca7821d37ac8c1b51c481a0403b1695a3b9a

SHA256
4e162510f2bc2e060aabec1d1bad8bcc719b7fbf2cba76a82427b503bbf94889

SHA512
b7f781d4649b4bc18c2cfed124a9ff92d0010a5c875320e9fb85a965cdb176ef2a083a68e97e1e88628832ee257baae2d042c09a8e0b5b194057bb9db7ccb764

Download Submit
C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe

Filesize
170KB

MD5
3f071149605afa38535c7dfff9e511c2

SHA1
4b48304715e432e8ae2033c2d792d669e0a5efa4

SHA256
d6cc342a9aa12cba869d491e9a39b236c2c2e950f38bd9aa4a2760a6c4357e4b

SHA512
1a838cd493b21616bce20b40cffe1221109ecc56acad74c0bc88eaf9f19688f42d4140104616650a1eee575fb6a3bd19355fbc388e8e79d024d429860c35ebcb

Download Submit
C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe

Filesize
170KB

MD5
b250e08fdc5bd32cf92e9f0205b88a05

SHA1
11321cec0ff78ff50421013515fd172f17789836

SHA256
dc0b13481edd3e8b95f7df35b28d0eb36012fc64ffebdc5abc8c9fab5d392193

SHA512
468a2ccc8146dc54c7c696ffeaedd4a0f53111bec19d9ee819d67d7de1eebb892119ecb12805281931bdf70dd7e9760cf4b73c16e6c6cc0dd04aeb629366f77a

Download Submit
C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

Filesize
170KB

MD5
bc99ad2be2b1f6a9b8287e399cd08230

SHA1
246c4221228d74d31dd613bac6a88bb1dc75f118

SHA256
c52e9916cb69e80c8da5997b5870a064b61a9070e00b729a0703567c6765bfc5

SHA512
952ef4609a173c7a45bf5ea67289dd37c20e0fb3523e7dd1ca2c2b0c65d4311af3a7f4fb62009a129f561e904df7848daba38b7a5276c6655d4d9fd66b5fe419

Download Submit
C:\Windows\HNT2U5I.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe

Filesize
170KB

MD5
0125d213cd5e7ea863d2a8c5b681ac07

SHA1
e2ae697b38290ad8fdffbb4aef22895adf2b7ef2

SHA256
af371f2b5baffb4f5f03110db6c2e100bd9e2e44fc207fdc49ab92f1e9b0a8d7

SHA512
3c98eeb63464ee480676fde4acccb8d0efe6aef6adadb925909cc2b0d555b28062000b12b541f18cf50658a03295d0386aa996fe6980697ae6ee164c7e8cf4d8

Download Submit
C:\Windows\KMW5H7M.exe

Filesize
170KB

MD5
59bda221fc47527cfa6c73d572d3138e

SHA1
9976fe1042e1bd6a8c5058e57b9ece45080d9a05

SHA256
26ecfe042933575d63de8817cead4b471799dedacbec6e3217d2a7e5065b5390

SHA512
61f915d3eb7b8015758e18068bfd8410c7bd7f97dd4b6a377156b73f6f8b865c6b66931459ea1bb853c5cd627de5bb662bed76e8139c4a55a48e769363fc4344

Download Submit
C:\Windows\PTF8Y0X.exe

Filesize
170KB

MD5
0ec8429291e288fc88e6728e4eef036f

SHA1
34d1501f497ab1b6dd818fc22bbaadd6de8eb3c5

SHA256
6e8b9d45e34f6ba4c3552210da2b5484c4f75e51867abd242438227c4a88cc7c

SHA512
71227508181fc2a7dcfde173966f2b04e9f30905593972fee5f3049f501064a3e8ece4ce78e32985864998300b9de7f8652a578799e19549878aa6e5a01e65ce

Download Submit
C:\Windows\SysWOW64\SNM1T6OPTF8Y0X.exe

Filesize
170KB

MD5
17bdbf571f6357cb75a03bb66e9b2f8e

SHA1
36254203eaac8b24b683ef5c18750efe58f47026

SHA256
85444579c264e00e0b78e2549b0923748f069a5d41fbc08b92573628f5e8ef51

SHA512
cfb3afe5384f41b555fd216da86bbc184f96ab9b5324136eadc1d8fbdd932f8000c90101a0b48676e0fdf7f821a4a853f9275813da62e4298e28d10865007439

Download Submit
C:\Windows\SysWOW64\TSW3E2O.exe

Filesize
170KB

MD5
b69de6fd884b809a6f676fa07a40b37d

SHA1
28545650b860f44de47a0595d849d566dc32daca

SHA256
5a6f577b1d50bd18983be24da03c62527e561666c94cf97e6e91ccc45d049ca6

SHA512
39d9846e21da1b66259894b300abf2771df8a8e939ef36c4adcb5f09b8f2156cd8f575b6c6a0166f1886415bf8e345077ea8f1d2ccd73e1783ace5f1bd426ee9

Download Submit
C:\Windows\SysWOW64\TSW3E2O.exe

Filesize
170KB

MD5
42a8ea0e0e85ba610a1ffa7d17b1cd3f

SHA1
94ad93404a1ef02a461302bf9d64d6589c3e6a52

SHA256
dc0f2eb2b10d7fdac10f443dfee07b652daca7b62b51677f2ca8516f62f9e28f

SHA512
e4adb7843e2c43395f8201a011246da380d5a2613370ee63aa0b1132905578639f68e4a9fb2a910f3a6f7dcc25b94eccc94adbc1f826f812a1f6d562c9fb4ba0

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
127B

MD5
a7ad2e3736cc96e2bbd90e51907b14b3

SHA1
60907392ac73a97ed1d3780d6d4fb31511518fd4

SHA256
ae0349f91b2d883131843b36863133b9f072a27285aa120cb7a743488992ec21

SHA512
02a843e27b41469368df447012885d4fd865fbf6ed6f28a377d56008628857a88a38383ea234fb94954364e405ca1c397c2880b171091612d3e0b77107dd3467

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
d474f239e68fe8b8b2af14084d1b3819

SHA1
2bd64da2b95aaa7a105b91e9061925f358cbab03

SHA256
f0d6d081ca25fbdf6f4d4437557b4fdf99d1fedcdbe8a69cbf3c985fa51f874f

SHA512
d8fc14ccc0f986544ae4ff82354163a58a20a7c8d2cce57679e6a8198e5b7d3a7bf011b413a9c25155eeebdca41f3bf371f2cd8fc54061a8100ff7ccaef5af83

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
e71a648cdcb5daf91ea7790f951c1aa2

SHA1
fecd858e0d9b196a3073aea7f212cd0324d21e57

SHA256
3d7c897675b467acf98a32c206d1a49fedad54868d6d302aad08c47347c7ef60

SHA512
e627a8336ccc6dc0f91dedf6455b8e41646d7aeee3d9ebe2139ef1dea6dd48c7802cd9823c635b00168d5bf632b9a4bf49260e84a0681263a90a24def1cadac0

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
3b2d06f4c718b88b450ce1ccd437e73f

SHA1
e0b49b16b45bae734cb30316a3237d245f22bdce

SHA256
6a4bf06e7d1c2ec235003c0a21c41fbd4505b0f60b419af144ee6a1c9a9a7610

SHA512
641968623fc81751675ee4ca67dad5964ae77e9d0fbf5f09e82a6dde9a63f88671d7f8637b2d047a4b56402ede648aeafa51420d99056fdaf6f3a566fc5a67bb

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
3901a79afc3ed429cd22c85474ed7ef7

SHA1
e93632ee1d9aad007dd3eac5a7298e81aa8c42f3

SHA256
b79cf2c7b87a0210f25c39c3ae1ea72df7b46a11575fdde8fea5f626790d581a

SHA512
797dd0e992262de121e3361a046ccc29b3b25cc75a2d4f97b0c633ae8ff7227d571d7504d9bb64d6791f97f1f89062c43d7b0e34f9271c95b8592b5e68247af2

Download Submit
C:\Windows\lsass.exe

Filesize
170KB

MD5
7d5d1908ac509d76a3818544fca143ea

SHA1
667e9b829b9d7cdb6276f0e9b72cf5be6c440ed8

SHA256
f59b033ec075d7d4fe274c5127f334b4262a949d1e187df0b6c3c47967fea084

SHA512
9bee473bbb7417a1307b5e173fd534e54836df5da22e121c35a7962c9c7fa3383b85f4d9e73636d221d3870417c8ca34258c8e13a8dd86ed760409df2ad43a35

Download Submit
C:\Windows\lsass.exe

Filesize
170KB

MD5
aaaa4e77bd637b0b1e1f6faaa7a885f5

SHA1
3106c995c80c602e9cb901d84fdfdd8cdcb5ee02

SHA256
7f9bbbf537cf8625098e9365f331af832c75a10e6225034e26be8baf8150c97d

SHA512
85a8b7d283ec8895e0b9d300d5933796ba06680fdd26c166e0445786e341511cb37d99d6b84b54f73cb7fed3074017e8b245d38f14fe007e13440fe68a8d7f77

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
c55534452c57efa04f4109310f71ccca

SHA1
b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

SHA256
4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

SHA512
ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
f35065f5ed79a0d6988b4f9b4a359110

SHA1
9cd17538f044b92f777c11f1703935b2a3befca8

SHA256
0ebe242c0a7a1079b74da9f4bb97b43f14598c9e9ae5bf8f1e08a0fd5355dcba

SHA512
de0819aab998100648bb399b8fe16c222c58c586aad48d3871a7282b79208a4c9a7c549d24967180756ada29108506e8622cd89c2a755a2c4ab405f711ec1de9

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
c14d86b2aa572ba9973828133ffd9d83

SHA1
db863f0efc33b72522b228f25835826fad532d32

SHA256
86a9eb67eca6d722a633e967a25866b874560ba49a49d024e9584f3db5a1a14e

SHA512
9c0d57b0a6be0d6c4f81268f75f4032cf81e6287a781fdc7b0050d1ed31c1456d6650186b0e3bf1204d47c92b358b59707f260e7042837c78a8777692fd67d34

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
c79ec3a7a2675b90e0c9af40f8d1cab8

SHA1
ec1d7cd4b3b2ecee295e178d4b0bc6afe16b4deb

SHA256
104fcb338da8345db51670d5f8f60c4041ea2ab55ea48c18d408866afddfd5d9

SHA512
dded4fa9b47f4e1e31639c3c5f20474cc94b634ed757ccc2da449619a2fa63dc8a5c59160279ec1458ac6160123f061f798f5a97798cbecb5df78873aa8be736

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
b2b272a9776b0930b87d0881c1ada58e

SHA1
86b65a3ea5f2d41ce63b550b9ba9e6fdfa9beaa6

SHA256
9cc8df5d085d4115090418d4e024e416545080611bd55d8d688a1e05293113e7

SHA512
88ccef1c4c3d673a608f62d7cb9e2da4aea4b85906ba2810f8a6a66f2a051b062267b2464acca136f507f5b54029b6c640b22a9bb970cd9f50d5691df7903700

Download Submit
memory/1992-310-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1992-340-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2020-312-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2020-74-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2268-311-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2268-58-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2376-290-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2376-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2648-313-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2648-349-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2648-375-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2648-327-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2648-333-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2648-361-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2648-89-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2648-387-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5096-339-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5096-345-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5096-351-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5096-357-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5096-338-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5096-363-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5096-371-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5096-314-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5096-377-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5096-383-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5096-145-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5096-389-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads