106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Size

45KB
MD5

7981f54b51ab1c6d3ce00fe207fc44c4
SHA1

40a02f8d7899f24700d1f86300aee0af17fa8aac
SHA256

106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f
SHA512

b080fd8600b30e1d97ee21f336283dfee84e2a767e626973dc338c39e8454f4a1453945d9d3aaa8dab472adcb7ae00223feb1671a7a3ac539713ae9ca6be36e9
SSDEEP

768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nE1A:8AwEmBj3EXHn4x+9am

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe

Detects executables built or packed with MPress PE compressor 35 IoCs

resource	yara_rule
behavioral1/memory/3048-0-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0008000000015264-8.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0009000000015cb9-111.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000016d24-115.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1076-114-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1712-124-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000016d41-131.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2812-134-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3048-132-0x0000000000510000-0x000000000053E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000016d4a-138.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2812-137-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2488-146-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2488-150-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000016d4f-151.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3048-153-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1456-180-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0009000000015cb9-216.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3048-217-0x0000000000510000-0x000000000053E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2256-219-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000016d24-223.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2256-225-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000016d41-234.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2280-237-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2876-243-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000016d4a-246.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2876-249-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1108-272-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000016d55-273.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1108-270-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/432-260-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/988-282-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000016d84-283.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3048-290-0x0000000000510000-0x000000000053E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1340-294-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3048-445-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 12 IoCs

pid	Process
1076	xk.exe
1712	IExplorer.exe
2812	WINLOGON.EXE
2488	CSRSS.EXE
1456	SERVICES.EXE
2256	xk.exe
2280	IExplorer.exe
2876	WINLOGON.EXE
432	CSRSS.EXE
1108	SERVICES.EXE
988	LSASS.EXE
1340	SMSS.EXE

Loads dropped DLL 20 IoCs

pid	Process
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File created	C:\desktop.ini	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened for modification	F:\desktop.ini	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File created	F:\desktop.ini	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\G:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\K:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\L:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\P:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\T:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\W:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\M:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\N:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\O:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\R:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\U:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\J:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\V:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\Z:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\Y:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\B:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\E:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\H:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\I:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\Q:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened (read-only)	\??\S:	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\shell.exe	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\Mig2.scr	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File opened for modification	C:\Windows\xk.exe	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
File created	C:\Windows\xk.exe	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DD-0000-0000-C000-000000000046}\ = "_OlkCheckBox"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EF-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067368-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063074-0000-0000-C000-000000000046}\ = "_OutlookBarShortcuts"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}\ = "_Store"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063076-0000-0000-C000-000000000046}\ = "FoldersEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063077-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630ED-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DD-0000-0000-C000-000000000046}\ = "_FormNameRuleCondition"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CB-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063105-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307C-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302C-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F4-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063022-0000-0000-C000-000000000046}\ = "_JournalItem"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046}\ = "PropertyPages"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063071-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DA-0000-0000-C000-000000000046}\ = "_OlkTextBox"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302B-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063083-0000-0000-C000-000000000046}\ = "_SyncObject"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067368-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\ = "_OlkCommandButton"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\ = "FormDescription"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307B-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F026-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302B-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067353-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}\ = "OlkTextBoxEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}\ = "_OlkCategory"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063083-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B0-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F0-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F0-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307F-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A7-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
560	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
560	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
560	OUTLOOK.EXE
560	OUTLOOK.EXE
560	OUTLOOK.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
560	OUTLOOK.EXE
560	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
1076	xk.exe
1712	IExplorer.exe
2812	WINLOGON.EXE
2488	CSRSS.EXE
1456	SERVICES.EXE
2256	xk.exe
2280	IExplorer.exe
2876	WINLOGON.EXE
432	CSRSS.EXE
1108	SERVICES.EXE
988	LSASS.EXE
1340	SMSS.EXE
560	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 1076	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	28
PID 3048 wrote to memory of 1076	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	28
PID 3048 wrote to memory of 1076	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	28
PID 3048 wrote to memory of 1076	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	28
PID 3048 wrote to memory of 1712	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	29
PID 3048 wrote to memory of 1712	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	29
PID 3048 wrote to memory of 1712	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	29
PID 3048 wrote to memory of 1712	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	29
PID 3048 wrote to memory of 2812	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	30
PID 3048 wrote to memory of 2812	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	30
PID 3048 wrote to memory of 2812	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	30
PID 3048 wrote to memory of 2812	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	30
PID 3048 wrote to memory of 2488	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	31
PID 3048 wrote to memory of 2488	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	31
PID 3048 wrote to memory of 2488	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	31
PID 3048 wrote to memory of 2488	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	31
PID 3048 wrote to memory of 1456	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	32
PID 3048 wrote to memory of 1456	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	32
PID 3048 wrote to memory of 1456	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	32
PID 3048 wrote to memory of 1456	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	32
PID 3048 wrote to memory of 2256	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	33
PID 3048 wrote to memory of 2256	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	33
PID 3048 wrote to memory of 2256	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	33
PID 3048 wrote to memory of 2256	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	33
PID 3048 wrote to memory of 2280	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	34
PID 3048 wrote to memory of 2280	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	34
PID 3048 wrote to memory of 2280	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	34
PID 3048 wrote to memory of 2280	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	34
PID 3048 wrote to memory of 2876	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	35
PID 3048 wrote to memory of 2876	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	35
PID 3048 wrote to memory of 2876	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	35
PID 3048 wrote to memory of 2876	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	35
PID 3048 wrote to memory of 432	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	36
PID 3048 wrote to memory of 432	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	36
PID 3048 wrote to memory of 432	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	36
PID 3048 wrote to memory of 432	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	36
PID 3048 wrote to memory of 1108	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	37
PID 3048 wrote to memory of 1108	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	37
PID 3048 wrote to memory of 1108	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	37
PID 3048 wrote to memory of 1108	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	37
PID 3048 wrote to memory of 988	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	38
PID 3048 wrote to memory of 988	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	38
PID 3048 wrote to memory of 988	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	38
PID 3048 wrote to memory of 988	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	38
PID 3048 wrote to memory of 1340	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	39
PID 3048 wrote to memory of 1340	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	39
PID 3048 wrote to memory of 1340	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	39
PID 3048 wrote to memory of 1340	3048	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe	39

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe

C:\Users\Admin\AppData\Local\Temp\106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
"C:\Users\Admin\AppData\Local\Temp\106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3048
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1076
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1712
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2812
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2488
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1456
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2256
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2280
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2876
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:432
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1108
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:988
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1340

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
ebef96873ace0d2c7b357339f8efaef0

SHA1
4e4b0bba5489c093a83d83e822a5f3f742ba668f

SHA256
12d97123ad9a600e937ba5f5abe319ffc850cf4f61a354e4609980c1a4327318

SHA512
399be94adf2e25c1404ae82ee0784bc1ff2e2e99121ed5103669f80b371fe82dcdd00c85867497c6a582a8725221b5933b2271a8eebddcd25bb5708ff7227fc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
e9190045dd4223a2a85e3786ff56ce81

SHA1
bcd3ecccc00e7716a479bba59300d3f769b7c660

SHA256
0e66cc21a0f4a3b043e0698f4fee841176fd51525cea820d3eeec984de133411

SHA512
277e8f7c2fcd1029d09389b941a6782f688385272ae58a03b0afaca12fed129ad2ff98e8062bcc49d92956a93e7dfd01dd907e3017222853191ce6684ab1a6b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
710B

MD5
93dc1e7e8e4dc4762538a84b135b355d

SHA1
bb5653cf46ca6b9dcf6925ed5bd9b7f75dc997b6

SHA256
fbaf3df6ac17055ec9d5da6aadd6377d3f1651157107aeb86f5a9d51419b673c

SHA512
4516d55e32320c75e448724430afc4d723a5db0edd5279acd013195c59f993f9f0c0306099295bd3f8173d63822aad1de4d89a589e086234e8217ba439c70b5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
45KB

MD5
f86d73eb222d9f01a9cdff84bdad93e7

SHA1
13d7cf0055164814ecb0dacae1701863c03f249d

SHA256
0330b25a6b49f183d60c2308cd03e75130fb6a29f8d43996f8f2d4acafdc1a05

SHA512
61ff17b75688c10002051865ada151ab7da41c06f8232408d39e13ff8350ca90022503bd56a6123181440db080c40eb1b67ab0d376548798ed773e086170e1a3

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
45KB

MD5
7981f54b51ab1c6d3ce00fe207fc44c4

SHA1
40a02f8d7899f24700d1f86300aee0af17fa8aac

SHA256
106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f

SHA512
b080fd8600b30e1d97ee21f336283dfee84e2a767e626973dc338c39e8454f4a1453945d9d3aaa8dab472adcb7ae00223feb1671a7a3ac539713ae9ca6be36e9

Download Submit
C:\Windows\xk.exe

Filesize
45KB

MD5
48be4a2ac4dffd6ce6fa77a4ce991ea1

SHA1
faa35e6d473a575bd1716c5780f040a1760da3c3

SHA256
a9567da66ea13c5d75043d0a0fdfdc3a5aba8e19707a867d49cb4a7c8eaf26d8

SHA512
60e19a983f36bc62f26b1675a70715a5deceabd33961055c6345bff1f89a7e5ad08924574111eccaea64bc97351a2bfd8fdbdf0f8c5ebb92192c6adc495a1b17

Download Submit
C:\Windows\xk.exe

Filesize
45KB

MD5
d436c443c2baf641e0f4fb0857d562b1

SHA1
009db0ff9090c7cbaffcb5a50954996316cce3f1

SHA256
a0f56fc2fb3ba52404772a7a0f09c7555815bd4f812c75629331a7e228e5a05d

SHA512
d40d751351edf38472ff0d553803705c0aad897dad1ef9db1567b7bada4df7aa71e7828815f0bccd569c1d15bd9833b181fc3895dba1652c672cd837ebe201a4

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
45KB

MD5
6949b65fdc2957371bef28172f285b91

SHA1
e7cfef73947d7be3bbef8ab421a18eb60f289ff0

SHA256
2249df04bf60584f6d8c3c3f5a2a7b65859bb6634d55d7c39d695b2e5d8a5440

SHA512
4894d1f21ed0765c37486bb4298ec562f105ec1b0b497069fa06b69f6185ae8ae3d16dadfe0f8e529bb3dc40a27381cbafcaf265001a7807fce80ce5f1d97f10

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
45KB

MD5
c2ce8e91ae1181ee74062c388337104e

SHA1
7bae8bd4ee0a3c70be2aa1d6d3a5b99a5b65a919

SHA256
c1c05e7ec5c507695c212b28938626775d56618679af9878031e714938d93198

SHA512
ff85441114ccf6b6f0985e522606c8ded14286294cfd8381ff2ae80ba1a60845624ddd079da4f723fe11912245c41374e399c79dd0c436246b214d70c5b2841d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
45KB

MD5
cae95cab9d3462fb497caaad38db5ef2

SHA1
80929d239008903e7a76242c5b798234b9f46e90

SHA256
ae52af464ee2319ac26607f3dae403ae503edeb818052761cafabefa10bf4536

SHA512
1cc363cbd09224b972ef0bff9cc832546ed3a2adc9dce2631998c8aa03f77b274555438dc34c8a9d7df75ddee57b7aabf4cb6ea10d96907088bfe2050753974e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
45KB

MD5
1738fa05df04bdac33af296e576dccb6

SHA1
477c0a5977e1d2bcbae2687d2a63b8c662aa12e2

SHA256
dc380fe1e853ed594dcd1d4a593caeadc4913bb7b14ed37fcafa4165ffd348a3

SHA512
fb2b1b68ebd16ab0c76c166a1471adea7eb9b62ce09823aff245fd926c1a3399b666f88555c046c747de822d8902f23b2ec3491ce3aeb3e9738dcb17a37a5026

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
45KB

MD5
cd0ec610d1b93f9a1af20bcd9b986245

SHA1
d3f82c1a9e2b96e3fbb9a3958b8b952781634e59

SHA256
de4db0a21ffa7950c65a080da02f345e37d9a2ee6694d2b03787d8dc69a6725d

SHA512
12b482a07dd304c45d5d20776aadbca690e7d9e755769030eed0a00f5788dc73aeb6f3e9160dd7ddb60b320156c7f4d5226643c97fecee4b73b10354415e4b73

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
45KB

MD5
bf36f5b17cfd9f8d30057b72453db984

SHA1
535697ceba6fd4ece23d4b781933628553cc5578

SHA256
96e8cf617e2684e8c0c48ae15d8ff083cda356fca551b94d871b96470573e611

SHA512
6a5d3f0b6cbcdc9d580c5e63eb3f300be0fde52c8919f4517ce642e553d147cb6c6b9408bf5b6e387b064a4440e23fa38ce1a5fbe391bbc0242c19d0139c715c

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
45KB

MD5
0cc41d90ae92edb4f121c4b7765ddccf

SHA1
f31879874dfb3960a6a86468415723470aabf774

SHA256
7ed5b1dbb904be6000d9696d02680647fcdc9b7577413174696b20f9e01df828

SHA512
8d16b24b7ea483fc1d67c3c11d246e93b4368247712b566c7aa63011f07d7318fa903ea64380f21347932ba1e029f1642e177f474354e4c3b0e62ff20c7a34fe

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
45KB

MD5
bdd28b2d4c76506372bc39652ec8c111

SHA1
f5dabe6daf5233a304406bdb39e7b38587747a53

SHA256
e994b3fbe8459d2e0837be6af04bde00e5f1c8a671f65724fdbfc64cc0ed8e5c

SHA512
dc8e8ce90fc2fe075cdbf4f5988977e34e3cf82a2ce26a20afd752e482ef300e044c2440e354715eb9d3b68b7096f517f30c62077cc8563150413465ebe36b77

Download Submit
memory/432-260-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/560-319-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/988-282-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1076-114-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1108-270-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1108-272-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1340-294-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1456-180-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1712-124-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2256-225-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2256-219-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2280-237-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2488-150-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2488-146-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2812-134-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2812-137-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2876-243-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2876-249-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3048-217-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/3048-133-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/3048-265-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/3048-153-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3048-145-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/3048-218-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/3048-290-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/3048-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3048-132-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/3048-266-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/3048-231-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/3048-109-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/3048-110-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/3048-444-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/3048-445-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3048-446-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/3048-447-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/3048-449-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/3048-450-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download