3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536

Analysis

max time kernel
141s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/05/2024, 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Size

91KB
MD5

1c316eeba686981d72258f5599b94010
SHA1

8c62688b26497196b0ff9dcefc63e1395d2118ed
SHA256

3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536
SHA512

1faa3721321898efe484109431a60d9b32bd28a9cbe92851872d0ce4b56dad0a44fdb067153700e1e0b9addf32bbeca220993c6e2a85763ff9b1922828116fe5
SSDEEP

1536:8AwEmBj3EXHn4x+9aK0QAwEmBj3EXHn4x+9aBm:8GmF3onW+MK0QGmF3onW+MBm

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 12 IoCs

pid	Process
1956	xk.exe
976	IExplorer.exe
2720	WINLOGON.EXE
808	CSRSS.EXE
1360	SERVICES.EXE
944	xk.exe
2944	IExplorer.exe
2788	WINLOGON.EXE
440	CSRSS.EXE
1500	SERVICES.EXE
844	LSASS.EXE
1544	SMSS.EXE

Loads dropped DLL 20 IoCs

pid	Process
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File created	C:\desktop.ini	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened for modification	F:\desktop.ini	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File created	F:\desktop.ini	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\N:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\O:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\Q:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\S:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\B:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\G:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\I:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\J:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\T:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\Y:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\X:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\H:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\K:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\V:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\W:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\R:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\Z:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\E:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\L:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\M:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened (read-only)	\??\P:	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell.exe	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\Mig2.scr	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\xk.exe	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File opened for modification	C:\Windows\xk.exe	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630ED-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063104-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302D-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067367-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}\ = "_Store"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302C-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063047-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067368-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DE-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302D-0000-0000-C000-000000000046}\ = "_PropertyAccessor"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303B-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A1-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063040-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E4-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063085-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304F-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063022-0000-0000-C000-000000000046}\ = "_JournalItem"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}\ = "Attachments"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046}\ = "_Views"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063041-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063093-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\ = "_ToOrFromRuleCondition"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063074-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DA-0000-0000-C000-000000000046}\ = "_ImportanceRuleCondition"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063094-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2116	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2116	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2116	OUTLOOK.EXE
2116	OUTLOOK.EXE
2116	OUTLOOK.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2116	OUTLOOK.EXE
2116	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
1956	xk.exe
976	IExplorer.exe
2720	WINLOGON.EXE
808	CSRSS.EXE
1360	SERVICES.EXE
944	xk.exe
2944	IExplorer.exe
2788	WINLOGON.EXE
440	CSRSS.EXE
1500	SERVICES.EXE
844	LSASS.EXE
1544	SMSS.EXE
2116	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 1956	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	28
PID 3008 wrote to memory of 1956	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	28
PID 3008 wrote to memory of 1956	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	28
PID 3008 wrote to memory of 1956	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	28
PID 3008 wrote to memory of 976	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	29
PID 3008 wrote to memory of 976	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	29
PID 3008 wrote to memory of 976	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	29
PID 3008 wrote to memory of 976	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	29
PID 3008 wrote to memory of 2720	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	30
PID 3008 wrote to memory of 2720	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	30
PID 3008 wrote to memory of 2720	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	30
PID 3008 wrote to memory of 2720	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	30
PID 3008 wrote to memory of 808	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	31
PID 3008 wrote to memory of 808	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	31
PID 3008 wrote to memory of 808	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	31
PID 3008 wrote to memory of 808	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	31
PID 3008 wrote to memory of 1360	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	32
PID 3008 wrote to memory of 1360	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	32
PID 3008 wrote to memory of 1360	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	32
PID 3008 wrote to memory of 1360	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	32
PID 3008 wrote to memory of 944	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	33
PID 3008 wrote to memory of 944	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	33
PID 3008 wrote to memory of 944	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	33
PID 3008 wrote to memory of 944	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	33
PID 3008 wrote to memory of 2944	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	34
PID 3008 wrote to memory of 2944	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	34
PID 3008 wrote to memory of 2944	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	34
PID 3008 wrote to memory of 2944	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	34
PID 3008 wrote to memory of 2788	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	35
PID 3008 wrote to memory of 2788	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	35
PID 3008 wrote to memory of 2788	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	35
PID 3008 wrote to memory of 2788	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	35
PID 3008 wrote to memory of 440	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	36
PID 3008 wrote to memory of 440	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	36
PID 3008 wrote to memory of 440	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	36
PID 3008 wrote to memory of 440	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	36
PID 3008 wrote to memory of 1500	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	37
PID 3008 wrote to memory of 1500	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	37
PID 3008 wrote to memory of 1500	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	37
PID 3008 wrote to memory of 1500	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	37
PID 3008 wrote to memory of 844	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	38
PID 3008 wrote to memory of 844	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	38
PID 3008 wrote to memory of 844	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	38
PID 3008 wrote to memory of 844	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	38
PID 3008 wrote to memory of 1544	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	39
PID 3008 wrote to memory of 1544	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	39
PID 3008 wrote to memory of 1544	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	39
PID 3008 wrote to memory of 1544	3008	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe	39

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe

C:\Users\Admin\AppData\Local\Temp\3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe
"C:\Users\Admin\AppData\Local\Temp\3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3008
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1956
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:976
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2720
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:808
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1360
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:944
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2944
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2788
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:440
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1500
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:844
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1544

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
235KB

MD5
5e96ad807c67e1e467caec1cf2f082e3

SHA1
4100cb0ddc80a7efa95d5f35e167bfac2d9ed6a4

SHA256
0b4c783580941ee9cfbeee79a1efe14b1b834cbfbe00baf6dd38656f0116e5f1

SHA512
2ec67dbf01b6be721bdb3bd0677b74c2547474da053c8f167b57cda45bfd5aa85bc5ddbcbc52931c7a0694bd975189de5ee73abd91046b7b50d3c20ad97d4ec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
e3134e50c088b94bed7cb58abe895978

SHA1
b7cc5f8f94efa39b3b39a381c4dfc05721ebf436

SHA256
b5a4d1652310815e3525b971d12d3573ad614b4e964fe62712f7ad54570c1338

SHA512
814877325c6a2e7d07b0dd2541df120aff4ca949a2df5767d448b1c18c4435b0933c7f0fb89efbb8ad6c8d683a951fb24efe798202933a1d07493358a55da4b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
408e485f64bad8894993f7189a86d1cf

SHA1
b566e2694d7b5f912ed1bd6c906f24d26c9bac94

SHA256
c5781e709a77f57c83848c51993fa8257e1849308c8a0441bc8dd41bdc84fd01

SHA512
c6fdd48f8468ff4b43cbd0d9fb719a5704230c4d408ab6566737cd2c1fe58497178111fe8e5bcab3bd971b9794c245956de8d38a829401a3eb1a6cfd93d39649

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
1c316eeba686981d72258f5599b94010

SHA1
8c62688b26497196b0ff9dcefc63e1395d2118ed

SHA256
3385b5b2dbf291f71799fecb76f6562d01e99422deb29730b47710d1b22e0536

SHA512
1faa3721321898efe484109431a60d9b32bd28a9cbe92851872d0ce4b56dad0a44fdb067153700e1e0b9addf32bbeca220993c6e2a85763ff9b1922828116fe5

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
866f425ecd3729085b36bfc8c5f241f6

SHA1
a2d1b7f010ad210c1aba3900d431841d8d7e112c

SHA256
1041a68fc88f4827c8f5ec9ee46ee8a3460beb09c7675b157dafc7d41e43d950

SHA512
0552fc7db22ef025a3e2afa661623066063ed76539f9f8a209840352978cd9f611b72e66150e918b41956c140eb7556cc8d44ff72df0f53a86d40f7199e47e0d

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
65ae1d35bb90944562ef4518ad299edd

SHA1
8ea0f005d8daa73a81078e6e2dfea0225c6e9318

SHA256
c1972acde34f8fe0e5eaacda6fdf302f4bb69bcb0d106d061353520fa9754462

SHA512
8f8df960ebea10f99bc59ea55e21e8736e525023ed9348f728f84d6f3896f05290104b6f0a184ed2a871478c83e3e25e493b08307f1711f1ec90433a7e2faba8

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
e65f94aea32b84f0fe33b1204133014d

SHA1
582be09f9605be93fc4cebf45392252d7467b8b7

SHA256
81e8b7316f338b09d9e3031fcc762d074daa34f9706aff1a94e32ee3b09a1ab7

SHA512
b5409ad8a10d7af421d7215b87a2fdafd1e267609438276e39968d0717f6794d2d5d23a3912ef1918cf626d2eb2511205d66d602bf3035bfd58564792bb498b2

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
198b25531fd076cfb7acdb2c1b106298

SHA1
5053ad4db7d460b4749d7e1c0d1618ea7e59c94f

SHA256
212dde3de70a915aa1b17f26ed554d5626ede2fdc403b6a4a2c17b91d729bbcb

SHA512
32da8accc99a74a42be8eab633fcede4dfa86a303a149819d8b73f95cafb125cd3fe2e076f6509abea635027dbd3012a177fbf01fdfb1d6f7e8707ea7c60f20f

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
8d77ad49393a2554ae61b5b66302c643

SHA1
6fb34ffd400f953e020dca6739c66c542b315b99

SHA256
812a4a42419ca3d1235b3e2a354604e7893a8ce35a41bdd1e8716769081af463

SHA512
6b350e26d6b114e10215d9433bae6ff92dddfaca33e312b9058f18d0e66a9a8150d76453a72802cf44ee978641551ae237da09b93b451d56ecb2a31b5bc37037

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
b57c9abc547a86e2f0580313c56a34ff

SHA1
2d5670cea58415b93ba5baea198937dbc8b9a3c4

SHA256
c714fe9f2921b76775f3ea0b9a3c489431bfe68f813253aa7d8657da066fddba

SHA512
fa4a689bd9a5624dc186567e23ad2b1fc02d6977446c33d803e56a63f7cebe6ad8cefba9b9a476a76556bec10267e9ed8d12417ce2e441cfd08719a6a18bf8b6

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
abde1813837275a906577ecd0c2988ea

SHA1
e7e7a05f673f0441c3305041e143580c7443285e

SHA256
1e5b423bd8327568dc184446614b2b63a374914b601d7ea34281f182162fa84c

SHA512
b08ef0b17cbf6e9d54faf8d8a0c54765f218e8d3535f13051de8f5ed332d18222aedd242d017b5954fe353b976b4dc0f434c0cdacc6330725a1862c6ebb18fce

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
27cdae68d8429a1731357af60b12ed2d

SHA1
c6579acac91508c1269631031a0991f297dc45db

SHA256
9093a5b3a8b27191fbb3635334b533df975abb3ea220f99751c75c1adea3480f

SHA512
960d46807c8a6b23da219daca68a95b43ea7557fa4272e976da00e0f768512862a2965fa3ca87fe3e4a6b0d8ceb2e92fc7093d47f19eb61965a0a996704a8f0c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
6b1e64920180006edf804a2bebec15b9

SHA1
f9bda5a479880bf4fddbb43db29318c70c09f892

SHA256
62b812b40f86e625510d0ea8e30b7008f68d96a86e242b2a2e953c3074ebc5ca

SHA512
e8e7609231b5d3b06828db6b80e6e2f42acadadb827cb9d326e97798a23d1c84fcbdee0f36e638a8f9a126d8012cf9afab700bb01a13ca94c322c34c74dd5c02

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
1348ab51cce8a8f05c6630a34cc50f4f

SHA1
b394a3885dc80891619f546315f82503c5b15541

SHA256
2e21c9bdc810d1819ae828c615fb25231e89a4f596af7802841423b289e3ba3f

SHA512
a05e3cc9b8e610515b0e8b4574268166dc5f971d0387c643ec518296c685d0358c0df364daddd41535fc59186074af357535b73bd76d3d15675ade895c5e69e9

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
4d3a5d47c38748b866a2837a605d1044

SHA1
a2a740510fae80e3dd47f62a2166383f27d3eea2

SHA256
c2ff7caa62988b54f22d544eadbeda4bb4c25299bf9fd6f70cacaea4afae2ec5

SHA512
1887372bd010a6d827e06e1d0f1b07f4def7c18b8580c5bbd0e8e573fd2063e74cfcfedb2500a00e7c74897cab46dd6f2ad3ef5e7d31f3787096b53256abc12a

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
5d6e1b9e8fda1167339bb57ff7f06bd6

SHA1
98400698d46e7fc007c672373195464786e52c44

SHA256
50bb959a3bcd6a5be8131d389a7c86ac87bd7297170863a9010498ff9fae2f90

SHA512
5ae5afca63f6727b169b941800584c7f0125b674db7a20eeb84f62cb1178ce73f9de0fc827282fc4b54d6ea3825b8861747ce8dd135b1c49df8660a582812acc

Download Submit
memory/440-261-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/440-257-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/808-150-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/844-287-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/944-230-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/976-126-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1360-175-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1500-274-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1544-299-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1956-117-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1956-112-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2116-324-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2720-138-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2720-135-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2788-255-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2944-239-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3008-244-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download
memory/3008-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3008-264-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download
memory/3008-270-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download
memory/3008-232-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download
memory/3008-233-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download
memory/3008-281-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download
memory/3008-282-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download
memory/3008-218-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download
memory/3008-220-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download
memory/3008-296-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download
memory/3008-291-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download
memory/3008-157-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download
memory/3008-146-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3008-134-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download
memory/3008-109-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download
memory/3008-106-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download
memory/3008-449-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download
memory/3008-450-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3008-451-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download
memory/3008-453-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download
memory/3008-454-0x0000000002E20000-0x0000000002E4E000-memory.dmp

Filesize
184KB

Download