e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Size

63KB
MD5

371164f87275c60b2e1451c46588ffee
SHA1

59975974d2aa2bf1cd9a8e325a2647dca1e5d3db
SHA256

e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e
SHA512

26cf1345cf8da4b39245ab982fd0c513865ec2801fb35ef58e320a7fc05c38b59a0bfb1c63ee233ff174eff89f567459369e0ed744fea5f2609040c2e79ada20
SSDEEP

768:jSxam3Usjr3REXXr8yxFChMp7v9DLKrzCnbcuyD7UVeQI5no6cAvcV4RP0U+t6:jRsjdEIUFC2p79OCnouy8VDlAG4RsfU

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe

UPX dump on OEP (original entry point) 20 IoCs

resource	yara_rule
behavioral1/memory/1200-0-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0007000000015fa7-8.dat	UPX
behavioral1/files/0x0008000000016d05-107.dat	UPX
behavioral1/memory/2020-111-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/2020-115-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000016d1f-116.dat	UPX
behavioral1/memory/2784-126-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000016d36-127.dat	UPX
behavioral1/memory/1132-136-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/1132-140-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000016d3a-141.dat	UPX
behavioral1/memory/2024-153-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000016d9f-151.dat	UPX
behavioral1/memory/1200-165-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000016da4-170.dat	UPX
behavioral1/files/0x0006000000016db3-173.dat	UPX
behavioral1/memory/2328-176-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/1200-183-0x00000000004E0000-0x000000000050F000-memory.dmp	UPX
behavioral1/memory/2016-187-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/1200-188-0x0000000000400000-0x000000000042F000-memory.dmp	UPX

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2020	xk.exe
2784	IExplorer.exe
1132	WINLOGON.EXE
2024	CSRSS.EXE
1824	SERVICES.EXE
2328	LSASS.EXE
2016	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1200-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000015fa7-8.dat	upx
behavioral1/files/0x0008000000016d05-107.dat	upx
behavioral1/memory/2020-111-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2020-115-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d1f-116.dat	upx
behavioral1/memory/2784-126-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d36-127.dat	upx
behavioral1/memory/1132-136-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1132-140-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d3a-141.dat	upx
behavioral1/memory/2024-153-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d9f-151.dat	upx
behavioral1/memory/1200-165-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016da4-170.dat	upx
behavioral1/files/0x0006000000016db3-173.dat	upx
behavioral1/memory/2328-176-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1200-183-0x00000000004E0000-0x000000000050F000-memory.dmp	upx
behavioral1/memory/2016-187-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1200-188-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
File created	C:\Windows\SysWOW64\shell.exe	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
File created	C:\Windows\SysWOW64\Mig2.scr	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
File created	C:\Windows\xk.exe	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
2020	xk.exe
2784	IExplorer.exe
1132	WINLOGON.EXE
2024	CSRSS.EXE
1824	SERVICES.EXE
2328	LSASS.EXE
2016	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 2020	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	28
PID 1200 wrote to memory of 2020	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	28
PID 1200 wrote to memory of 2020	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	28
PID 1200 wrote to memory of 2020	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	28
PID 1200 wrote to memory of 2784	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	29
PID 1200 wrote to memory of 2784	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	29
PID 1200 wrote to memory of 2784	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	29
PID 1200 wrote to memory of 2784	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	29
PID 1200 wrote to memory of 1132	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	30
PID 1200 wrote to memory of 1132	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	30
PID 1200 wrote to memory of 1132	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	30
PID 1200 wrote to memory of 1132	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	30
PID 1200 wrote to memory of 2024	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	31
PID 1200 wrote to memory of 2024	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	31
PID 1200 wrote to memory of 2024	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	31
PID 1200 wrote to memory of 2024	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	31
PID 1200 wrote to memory of 1824	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	32
PID 1200 wrote to memory of 1824	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	32
PID 1200 wrote to memory of 1824	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	32
PID 1200 wrote to memory of 1824	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	32
PID 1200 wrote to memory of 2328	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	33
PID 1200 wrote to memory of 2328	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	33
PID 1200 wrote to memory of 2328	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	33
PID 1200 wrote to memory of 2328	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	33
PID 1200 wrote to memory of 2016	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	34
PID 1200 wrote to memory of 2016	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	34
PID 1200 wrote to memory of 2016	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	34
PID 1200 wrote to memory of 2016	1200	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe

C:\Users\Admin\AppData\Local\Temp\e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe
"C:\Users\Admin\AppData\Local\Temp\e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1200
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2020
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2784
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1132
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2024
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1824
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2328
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
63KB

MD5
452dbd36f67e05644d1925332b3987c4

SHA1
ca2b625addd16a312fc170078cd89581fb52bea3

SHA256
8fb1460fb95254c3c2f3af90b6b1c12d720e039252387ebb5a578c064f5d7f7e

SHA512
7c0a1268c6d07b57020b84fff456214b154a242c168a63c6017585702826350459766ee4ae8e56693b77df08395b741fd6837e0fba578b087d28c443032ab319

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
63KB

MD5
371164f87275c60b2e1451c46588ffee

SHA1
59975974d2aa2bf1cd9a8e325a2647dca1e5d3db

SHA256
e3aaef1cf6d4ca0a0cfd557c0cf7f11ffebf04312d77fd51590ad2e6c275dc6e

SHA512
26cf1345cf8da4b39245ab982fd0c513865ec2801fb35ef58e320a7fc05c38b59a0bfb1c63ee233ff174eff89f567459369e0ed744fea5f2609040c2e79ada20

Download Submit
C:\Windows\xk.exe

Filesize
63KB

MD5
c3a072029121e860bbc0d2fb75159329

SHA1
89d7de75fd29663cf2ce166a3304c6c9011a9615

SHA256
395d37823eb64b92f4ae7e1d4ab6179062d5eba0b3fbcca3c916c4cb18500e44

SHA512
7a47d8d4b7d3e89ed86c7fa945bf45b4f284164b7867916a882f89740f9051c47e454013e7d13c8ea281d78cc5848a155c7ee7af4801962f9c8b5fa4c9609459

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
63KB

MD5
1cce22f485735efa2de6042783c01847

SHA1
55c67f6044c845618f730a9f2df464943cf21fe2

SHA256
4f61613194369f9e243d3b3e57cb757af04dcc436a7c2558f1a0ab2777559608

SHA512
2e0ad4f1abffdabfb68df99a1bb8d7944dcdca73c970994d626e8f7994889e5f012350a8a1adfb731b1cb5065097165c085a4b3a992c22492187918ce054b20e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
63KB

MD5
d7832a2061aeecaaf72853d60a4f9f77

SHA1
60fc44ee9056bf00fbc5265d43e2ab93b42ff647

SHA256
a63c75f4d2fdc71bb2783f5feec060009557e4666a919a73ba79c34a1b0babf9

SHA512
1c315ea3a9dce8a7b75a1628b1e95fd199c02629b242f96cfec0492df51cbadbc5252dfb22ad28edcb0b7b199830711f9a73270ceb492227588595467870f051

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
63KB

MD5
24caa83990372ef713f7ede8c1366ba9

SHA1
47f62f3d275aca78a36ef6ec97f2dfc0388b63f0

SHA256
eba01baf67c58a2b7f26e70df9b38945c86017c0ea2cde6101573a8fb5b2081e

SHA512
464996cf5242d1a54651240e07eace36338be4fb3bf4aaef1f5d225012a9e5057c83681b503c53b7d3ef0a600c56c27ac23f8cfa253ef2c0b85ef97563b312cd

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
63KB

MD5
a1d49ab2bcfc7db7f9b052757811fca2

SHA1
962006c4034ba9c853107ef8da5a02bde551cd03

SHA256
5f563077468454a73de8f6873460888961f81b96fe320ea18ed151910e3aef83

SHA512
0c3684e9cb3a87b231000a396793cd42d3d2c15634397254773f88b819dd603cc56a009f39baf48b0b6e28bf29d00873293c91a169000703cf7ae6aca9c69982

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
63KB

MD5
c9810477951552e3397b9c2c021bdb4d

SHA1
90c98db741885d2d4553cbf3d557442040cf2e80

SHA256
a3707ab0f63fd6570b2af1a590ac4bd1feeccefc959aba954dc647bed919c795

SHA512
079d27f1a16b8128f7752a11e78ab6b0a13cfb6426c768a82426e17e1e6c8b482328a8b88ca76f6213b5cc5e7b70e16cc0cc4e0df5d0682964b56b04c0297248

Download Submit
memory/1132-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1132-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1200-159-0x00000000004E0000-0x000000000050F000-memory.dmp

Filesize
188KB

Download
memory/1200-183-0x00000000004E0000-0x000000000050F000-memory.dmp

Filesize
188KB

Download
memory/1200-135-0x00000000004E0000-0x000000000050F000-memory.dmp

Filesize
188KB

Download
memory/1200-134-0x00000000004E0000-0x000000000050F000-memory.dmp

Filesize
188KB

Download
memory/1200-123-0x00000000004E0000-0x000000000050F000-memory.dmp

Filesize
188KB

Download
memory/1200-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1200-182-0x00000000004E0000-0x000000000050F000-memory.dmp

Filesize
188KB

Download
memory/1200-109-0x00000000004E0000-0x000000000050F000-memory.dmp

Filesize
188KB

Download
memory/1200-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1200-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1200-110-0x00000000004E0000-0x000000000050F000-memory.dmp

Filesize
188KB

Download
memory/2016-187-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-153-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2328-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2784-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download