12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Size

91KB
MD5

19d4ba6301d3ed610dfb5938c80335ab
SHA1

a61a90de26098ff659fb7a186b1b56b88b908e78
SHA256

12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84
SHA512

43751d57f26bd41f8b7919afe2881c8a4ee10702880fd08555f82669897c542d6daef42594429e0a9ce6fcea0c802af492c7f0a0acbe0fde90703fba6ac9d9f5
SSDEEP

1536:XJRtlEnBHHIgabuYotV/JbJCX5SBiAJRtlEnBHHIgabuYotV/JbJCX5SBiE:XvtYxOuYotvYQIAvtYxOuYotvYQIE

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe

UPX dump on OEP (original entry point) 19 IoCs

resource	yara_rule
behavioral1/memory/1824-0-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0008000000013a15-8.dat	UPX
behavioral1/files/0x000a000000013b02-107.dat	UPX
behavioral1/memory/2524-111-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/2524-116-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x00060000000146a7-114.dat	UPX
behavioral1/memory/2808-125-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x000600000001474b-126.dat	UPX
behavioral1/memory/1352-136-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x000600000001475f-137.dat	UPX
behavioral1/memory/1628-145-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/1628-150-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x00060000000148af-148.dat	UPX
behavioral1/files/0x0006000000014a29-159.dat	UPX
behavioral1/memory/1824-166-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/1464-173-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000014c0b-171.dat	UPX
behavioral1/memory/340-183-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/1824-185-0x0000000000400000-0x000000000042F000-memory.dmp	UPX

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2524	xk.exe
2808	IExplorer.exe
1352	WINLOGON.EXE
1628	CSRSS.EXE
1656	SERVICES.EXE
1464	LSASS.EXE
340	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1824-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0008000000013a15-8.dat	upx
behavioral1/files/0x000a000000013b02-107.dat	upx
behavioral1/memory/2524-111-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2524-116-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00060000000146a7-114.dat	upx
behavioral1/memory/2808-125-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000600000001474b-126.dat	upx
behavioral1/memory/1352-136-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000600000001475f-137.dat	upx
behavioral1/memory/1628-145-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1628-150-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00060000000148af-148.dat	upx
behavioral1/files/0x0006000000014a29-159.dat	upx
behavioral1/memory/1824-166-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1464-173-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000014c0b-171.dat	upx
behavioral1/memory/340-183-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1824-185-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IExplorer.exe	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
File created	C:\Windows\SysWOW64\shell.exe	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
File created	C:\Windows\SysWOW64\Mig2.scr	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
File created	C:\Windows\xk.exe	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
2524	xk.exe
2808	IExplorer.exe
1352	WINLOGON.EXE
1628	CSRSS.EXE
1656	SERVICES.EXE
1464	LSASS.EXE
340	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 2524	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	28
PID 1824 wrote to memory of 2524	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	28
PID 1824 wrote to memory of 2524	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	28
PID 1824 wrote to memory of 2524	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	28
PID 1824 wrote to memory of 2808	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	29
PID 1824 wrote to memory of 2808	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	29
PID 1824 wrote to memory of 2808	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	29
PID 1824 wrote to memory of 2808	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	29
PID 1824 wrote to memory of 1352	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	30
PID 1824 wrote to memory of 1352	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	30
PID 1824 wrote to memory of 1352	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	30
PID 1824 wrote to memory of 1352	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	30
PID 1824 wrote to memory of 1628	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	31
PID 1824 wrote to memory of 1628	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	31
PID 1824 wrote to memory of 1628	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	31
PID 1824 wrote to memory of 1628	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	31
PID 1824 wrote to memory of 1656	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	32
PID 1824 wrote to memory of 1656	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	32
PID 1824 wrote to memory of 1656	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	32
PID 1824 wrote to memory of 1656	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	32
PID 1824 wrote to memory of 1464	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	33
PID 1824 wrote to memory of 1464	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	33
PID 1824 wrote to memory of 1464	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	33
PID 1824 wrote to memory of 1464	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	33
PID 1824 wrote to memory of 340	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	34
PID 1824 wrote to memory of 340	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	34
PID 1824 wrote to memory of 340	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	34
PID 1824 wrote to memory of 340	1824	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe

C:\Users\Admin\AppData\Local\Temp\12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe
"C:\Users\Admin\AppData\Local\Temp\12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1824
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2524
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2808
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1352
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1628
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1656
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1464
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\services.exe

Filesize
91KB

MD5
19d4ba6301d3ed610dfb5938c80335ab

SHA1
a61a90de26098ff659fb7a186b1b56b88b908e78

SHA256
12558505aaad8d297ae02c60003062d1e20d05eb465342cde4ed4d5159250f84

SHA512
43751d57f26bd41f8b7919afe2881c8a4ee10702880fd08555f82669897c542d6daef42594429e0a9ce6fcea0c802af492c7f0a0acbe0fde90703fba6ac9d9f5

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
a95e4cfebc0ed7564ce80dfac4753d97

SHA1
c3ebf7c08bc1fca2098c0834dfed55d656050941

SHA256
9c140a038227cb6d29ad33efa7d8f91968cba08286811c0fefb3f964ce1c4a01

SHA512
61df4c503741b2aba589fc15bd9236f8bf04430bea8fcdb2fa441b7652bafff2362b28bbea63ef1a9ce956dd36cf8b2edd8a5452d00fbe01090267e1dcc5397e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
c0c43e7dbcb2544f8c1c35825a7bf8ec

SHA1
b80d25cd6046d507dbad2c91a19c414f466b958b

SHA256
57737a869e02bab246ad9a581b9943fef8d4da986b50eb153c51efdb23a41ae1

SHA512
e32b78c6db4cb91840271dd5910f9d9551e6f4c3219bc3049ca251cb66a986f6b742610ec4dcbf2290e280b27f335dd8c3a590da4ec27316aa71f1205af32623

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
869354b5cd21b49176eac20513ea355f

SHA1
3a2a42f8677fddb2e4fd2af3c3760c9859261e70

SHA256
cc21741e5b60c6bb38b3f5c084e33c37e4c6280185c65deece4ede1371e2d418

SHA512
e4b601513c3cbd4b73ee1f5e199c15784fc6a866a900dc117a8be105c82b4998fec1657435df6469020bbce2315f9471559aaf6125a919ef43c9284719842ef9

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
9e5d01ac2ff7d3bfd84847bf00f67709

SHA1
d528c41eec9ae3821128ea19e6d941a28caa7775

SHA256
9623a85e63f046742b92935532a5df6a14630eaf01ef47d4bbd569dc8d2ccf0f

SHA512
6f3b2a3f2453e36f06786900ec3f1b34aeacdf793dc4402de484bc181c2ed64bc51dd9b1e822a78c590adf548d71d6a43345529547f1d067a6782be634ce1360

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
7c9bb3ef52e207a48dc7573d9c2de89c

SHA1
5a7b8ea18e79ff6299ecaf05de0d3effc9d2fb80

SHA256
4d1a4d9ea5831fd35515b3a9d613cf6a00bc0a7bdcaf68911b8d10e336da8852

SHA512
fa5376c59b85229d64d7fe6039f12475eaa3766692554d6020e2bccaeb52669bdf827c1aa5c98f4f8ea410a67dcd46652f085584010cb96e7c22da61b359e0f5

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
8c042e5f9bd334f58a88b86b3e38f1b8

SHA1
b2a1f314d951e2b387182eff40018df715e7ccb9

SHA256
6a7fe9544b2a034baf3d23b41a2a3a83445a72457bfddd7b5178f2ec8b9dc670

SHA512
dbaab68c19d2c4f73727f64c1407959f8ea9e309e4b80879672565870d200025fb1a090ecf221702806710f8102647c4daa893d49a1a133e164c8dcdce1e0769

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
6eb0c0a3f49732b43c7a37b760a870aa

SHA1
0a6dd88480ef3f17ae89ee2d265e81c78ff6f84f

SHA256
e18c33f5157f1c26affc125ddc64662ef5ca07136208a804eea60d28158f4b26

SHA512
869baa9540beaf9a2d50f284f7daaa627d906b3dcd804842f7c9c7b4829c2fb1d153feb6c47814d3481cc1cbcc5ab7bb5ad8901cf765cc6586008aec60e81677

Download Submit
memory/340-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1352-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1464-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-167-0x0000000000470000-0x000000000049F000-memory.dmp

Filesize
188KB

Download
memory/1824-109-0x0000000000470000-0x000000000049F000-memory.dmp

Filesize
188KB

Download
memory/1824-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-166-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1824-110-0x0000000000470000-0x000000000049F000-memory.dmp

Filesize
188KB

Download
memory/1824-178-0x0000000000470000-0x000000000049F000-memory.dmp

Filesize
188KB

Download
memory/1824-185-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download