86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Size

91KB
MD5

352087d465f180e096eb49568346e072
SHA1

b74f05f94bf291ba6a9735798e0d6bffa766979a
SHA256

86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c
SHA512

600eafacf6651e6aa9713284ac092e74037e88b0249ea7925e27a9e2a51b2d3ed8d74d8ee4ad276230fac5b6c9902bf7a0433b7191e2844a0a150af55de8bb07
SSDEEP

1536:ERsjdf1aM67v32Z9x5nouy8VTyRsjdf1aM67v32Z9x5nouy8VTQ:EOaHv3YpoutNyOaHv3YpoutNQ

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe

UPX dump on OEP (original entry point) 21 IoCs

resource	yara_rule
behavioral1/memory/2164-0-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x00080000000145c7-8.dat	UPX
behavioral1/files/0x0007000000015caf-109.dat	UPX
behavioral1/memory/2008-112-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000015ce2-115.dat	UPX
behavioral1/memory/2008-117-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/2164-118-0x0000000002880000-0x00000000028AF000-memory.dmp	UPX
behavioral1/memory/2812-127-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000015cf3-128.dat	UPX
behavioral1/memory/1068-138-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000015cfd-139.dat	UPX
behavioral1/memory/2488-146-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000015d09-149.dat	UPX
behavioral1/memory/2488-152-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/1908-162-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000015d13-163.dat	UPX
behavioral1/memory/2164-171-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000015d20-174.dat	UPX
behavioral1/memory/2416-177-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/2164-188-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/2208-187-0x0000000000400000-0x000000000042F000-memory.dmp	UPX

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2008	xk.exe
2812	IExplorer.exe
1068	WINLOGON.EXE
2488	CSRSS.EXE
1908	SERVICES.EXE
2416	LSASS.EXE
2208	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2164-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00080000000145c7-8.dat	upx
behavioral1/files/0x0007000000015caf-109.dat	upx
behavioral1/memory/2008-112-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015ce2-115.dat	upx
behavioral1/memory/2008-117-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2164-118-0x0000000002880000-0x00000000028AF000-memory.dmp	upx
behavioral1/memory/2812-127-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015cf3-128.dat	upx
behavioral1/memory/1068-138-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015cfd-139.dat	upx
behavioral1/memory/2488-146-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015d09-149.dat	upx
behavioral1/memory/2488-152-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1908-162-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015d13-163.dat	upx
behavioral1/memory/2164-171-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000015d20-174.dat	upx
behavioral1/memory/2416-177-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2164-188-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2208-187-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell.exe	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
File created	C:\Windows\SysWOW64\Mig2.scr	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
File created	C:\Windows\xk.exe	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
2008	xk.exe
2812	IExplorer.exe
1068	WINLOGON.EXE
2488	CSRSS.EXE
1908	SERVICES.EXE
2416	LSASS.EXE
2208	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2008	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	28
PID 2164 wrote to memory of 2008	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	28
PID 2164 wrote to memory of 2008	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	28
PID 2164 wrote to memory of 2008	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	28
PID 2164 wrote to memory of 2812	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	29
PID 2164 wrote to memory of 2812	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	29
PID 2164 wrote to memory of 2812	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	29
PID 2164 wrote to memory of 2812	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	29
PID 2164 wrote to memory of 1068	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	30
PID 2164 wrote to memory of 1068	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	30
PID 2164 wrote to memory of 1068	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	30
PID 2164 wrote to memory of 1068	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	30
PID 2164 wrote to memory of 2488	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	31
PID 2164 wrote to memory of 2488	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	31
PID 2164 wrote to memory of 2488	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	31
PID 2164 wrote to memory of 2488	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	31
PID 2164 wrote to memory of 1908	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	32
PID 2164 wrote to memory of 1908	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	32
PID 2164 wrote to memory of 1908	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	32
PID 2164 wrote to memory of 1908	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	32
PID 2164 wrote to memory of 2416	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	33
PID 2164 wrote to memory of 2416	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	33
PID 2164 wrote to memory of 2416	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	33
PID 2164 wrote to memory of 2416	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	33
PID 2164 wrote to memory of 2208	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	34
PID 2164 wrote to memory of 2208	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	34
PID 2164 wrote to memory of 2208	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	34
PID 2164 wrote to memory of 2208	2164	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe

C:\Users\Admin\AppData\Local\Temp\86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe
"C:\Users\Admin\AppData\Local\Temp\86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2164
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2008
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2812
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1068
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2488
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1908
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2416
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
352087d465f180e096eb49568346e072

SHA1
b74f05f94bf291ba6a9735798e0d6bffa766979a

SHA256
86d8456a7832bfb4909c9972d2a5622b1c341df3a405d9ff15f79ffe9e34563c

SHA512
600eafacf6651e6aa9713284ac092e74037e88b0249ea7925e27a9e2a51b2d3ed8d74d8ee4ad276230fac5b6c9902bf7a0433b7191e2844a0a150af55de8bb07

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
f25ae988a8062f1ee3dc9d444bc8f281

SHA1
012a00df03c73a71d524b4bb9590c937fe961c5e

SHA256
d14a606bce56bd72820ef9d76ea91ba26a547566062cb535e879512d786a532c

SHA512
5a37b23d32e4020e3d56b0315e72d8f530cc2430d504ce8bf85b66d27092786da002d714f8b6223001ced2862b31d2b8e5dfa9a61281044073375677a6df6369

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
48d89c59971e19da58976a3906b39571

SHA1
f59191f71d57e05890490ea7f5485748b1b289c8

SHA256
2414f17c240d84a0484c48c1504b9be302683a833e7aa1fffd04737ff26bf382

SHA512
628c5f61103d857680bd8d72d32ffe8d25c9161939185451722d3b1abb63f89e531e38454cbf36a39333252361c5b52cd89b708fe2fd9aa64eda4042eccb35d0

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
2ead3d43cb6141571cf9acc8e15b92fd

SHA1
d7f839d7bd697c0805ac695e5265f43e14241f43

SHA256
1a2ccc51d134d2d53055e7f441af5cecc78a52ce7a7688e7668e11745aa0785d

SHA512
3c2993818569c250bedd749d0b595d024960b029c91f50497a8f93d706b34c07cec38cbcbb8b918f2acbce00a512afa52944b8adbc22deb87ba5cec55c5a9b79

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
7c36e6bc68c189c3e553122cd4464f2c

SHA1
a6718be04fe9ef717ad3e3cd825620bd9475e2f4

SHA256
ba10afd0da2ed661952328d0c68befe6cb3d089e1dd12860fe323ae971118f1e

SHA512
a1a5aa8386ad4fd523099e296e5cef31871289a0183eccaed3bb8ceb0f5fa694b857020b4aa7ba1d226c941d6078bf21fdaa7d1d5d7bfd577b32a05ee1a9963d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
09ba661c996dfbd18205e8568053006e

SHA1
a2e45b83c4b397602c5b4b8c1710e04447c157df

SHA256
8d38d8bf64815baa80e16eaf577c49428a6d31d951c0a065f62e00b7ddf8db24

SHA512
49e4614013d5e8d898073938281207a4502773d4c00963e806827643c1dec74dc5c04239c64e42f2c4c32f582b0143f5ca8fe95d5d80f1aadbf93466998a972b

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
97aa1842c48b8e0ae5e67485024d8dba

SHA1
a99cbddb77300aab4fc5d25f4ffa7e96aedd75b3

SHA256
5ed957ff4e3cb0a01b84b74735aad64e8040b01596b144976ebadb82333c83eb

SHA512
04ee3e1e984b7aeddf50972166da5803236bcbc65ce5c66891644d438905cdcac0546d9ad448a38dae7f613e20ee30dab7978cf0e0186903405cf1066d55dce8

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
49134d9823dee95a68d5f5c049e3e5a0

SHA1
ba07151d5ba7a1e771be9c9aef2142ed82d6d14b

SHA256
cdfcba625b384ce1e1191844e3f75a48f03c46bef3d9b62bd31b9d0202641c89

SHA512
59974ce9a6fafd24789dea42e916cd0f7f4be06732b43fe6bba96fa4fd4911100a2efc0c11f445dbe4141e356f716990ff8c3043545bd4f83fb37854334f61bf

Download Submit
memory/1068-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1908-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-117-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-159-0x0000000002880000-0x00000000028AF000-memory.dmp

Filesize
188KB

Download
memory/2164-111-0x0000000002880000-0x00000000028AF000-memory.dmp

Filesize
188KB

Download
memory/2164-110-0x0000000002880000-0x00000000028AF000-memory.dmp

Filesize
188KB

Download
memory/2164-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-118-0x0000000002880000-0x00000000028AF000-memory.dmp

Filesize
188KB

Download
memory/2164-158-0x0000000002880000-0x00000000028AF000-memory.dmp

Filesize
188KB

Download
memory/2164-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-165-0x0000000002880000-0x00000000028AF000-memory.dmp

Filesize
188KB

Download
memory/2208-187-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2416-177-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2488-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2488-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2812-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download