Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
25/05/2024, 22:14
Static task
static1
Behavioral task
behavioral1
Sample
5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe
Resource
win10v2004-20240508-en
General
-
Target
5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe
-
Size
45KB
-
MD5
4eae1eef38400d1e90011f887c700932
-
SHA1
172988046bc829608da1865c5d1c942aa22493d6
-
SHA256
5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54
-
SHA512
3b61e37f0129b4163f21834cd82afe5bca4a1e431164e2065fe729d7293e38ef9a66297d2bcd9fb8822fd0921f7a10cc8f47ecb3fdca4cb6a95501a4f08f16df
-
SSDEEP
768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nEqP:8AwEmBj3EXHn4x+9aqP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Detects executables built or packed with MPress PE compressor 27 IoCs
resource yara_rule behavioral1/memory/2912-0-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0007000000014c2d-8.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0007000000015cc5-110.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2912-108-0x0000000000540000-0x000000000056E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1920-111-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015cee-116.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1920-115-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2072-123-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2072-126-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d0a-127.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2400-136-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2400-137-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d21-138.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/328-145-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d39-148.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/328-151-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2912-156-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2068-161-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d59-162.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1568-169-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1568-172-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015d61-173.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1248-182-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2912-181-0x0000000000540000-0x000000000056E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2912-180-0x0000000000540000-0x000000000056E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1248-186-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2912-188-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 7 IoCs
pid Process 1920 xk.exe 2072 IExplorer.exe 2400 WINLOGON.EXE 328 CSRSS.EXE 2068 SERVICES.EXE 1568 LSASS.EXE 1248 SMSS.EXE -
Loads dropped DLL 12 IoCs
pid Process 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mig2.scr 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe File opened for modification C:\Windows\SysWOW64\shell.exe 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe File created C:\Windows\SysWOW64\shell.exe 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe File created C:\Windows\SysWOW64\Mig2.scr 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe File created C:\Windows\SysWOW64\IExplorer.exe 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\xk.exe 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe File created C:\Windows\xk.exe 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 1920 xk.exe 2072 IExplorer.exe 2400 WINLOGON.EXE 328 CSRSS.EXE 2068 SERVICES.EXE 1568 LSASS.EXE 1248 SMSS.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2912 wrote to memory of 1920 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 28 PID 2912 wrote to memory of 1920 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 28 PID 2912 wrote to memory of 1920 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 28 PID 2912 wrote to memory of 1920 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 28 PID 2912 wrote to memory of 2072 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 29 PID 2912 wrote to memory of 2072 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 29 PID 2912 wrote to memory of 2072 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 29 PID 2912 wrote to memory of 2072 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 29 PID 2912 wrote to memory of 2400 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 30 PID 2912 wrote to memory of 2400 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 30 PID 2912 wrote to memory of 2400 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 30 PID 2912 wrote to memory of 2400 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 30 PID 2912 wrote to memory of 328 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 31 PID 2912 wrote to memory of 328 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 31 PID 2912 wrote to memory of 328 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 31 PID 2912 wrote to memory of 328 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 31 PID 2912 wrote to memory of 2068 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 32 PID 2912 wrote to memory of 2068 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 32 PID 2912 wrote to memory of 2068 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 32 PID 2912 wrote to memory of 2068 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 32 PID 2912 wrote to memory of 1568 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 33 PID 2912 wrote to memory of 1568 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 33 PID 2912 wrote to memory of 1568 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 33 PID 2912 wrote to memory of 1568 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 33 PID 2912 wrote to memory of 1248 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 34 PID 2912 wrote to memory of 1248 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 34 PID 2912 wrote to memory of 1248 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 34 PID 2912 wrote to memory of 1248 2912 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe 34 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe"C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2912 -
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1920
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2072
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2400
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:328
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2068
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1568
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1248
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD54eae1eef38400d1e90011f887c700932
SHA1172988046bc829608da1865c5d1c942aa22493d6
SHA2565e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54
SHA5123b61e37f0129b4163f21834cd82afe5bca4a1e431164e2065fe729d7293e38ef9a66297d2bcd9fb8822fd0921f7a10cc8f47ecb3fdca4cb6a95501a4f08f16df
-
Filesize
45KB
MD5d708fa901e2991c436d54453d58dd3fc
SHA193f7ee3e0fdff444343794c96accbff99befbeb7
SHA256a806201ac1da4963163c7834426191f97cd11c2a3ac1ade9f2c3e5b2d765c3c2
SHA512177865267d71acef0c84c9980824b57af91f232b5d3319d1d91a212206e3378d0e7bdd0ff3d6e55447a5adb5998617c9f5e302f7ace9e5eb2646451164379b66
-
Filesize
45KB
MD51f5e42eaaf4ba5ceb943efe7d79fe1b7
SHA17520979954e0e9e5a6b8cd7a471a28382df3cf86
SHA25637b37951adf15b74e9ac68024afa75fb153396a5341daebc8f671d6951090291
SHA51279c7fce12d045bf53950815b55b5d5dbbedfe72f69d36aeca1935fb82c73d1c622b701c26619353c6ecd925f9586809ecc7009fb4be686480c806e6a82ae87cc
-
Filesize
45KB
MD537988b2bfc167881a2489481f9c13954
SHA1ab85e0492e024aad5370c17e2420996096d865cf
SHA256512d4b99172f04f86adf9725c330ce73a634f463688b4c70293533c7a2e5f1cf
SHA51271a74dc8950f7713ee875704aa3f7141377ad234b3ee4ebcfb2fed24f46c2bb817c6e44163dfc659b36d0e78d019081d227f142b94c2926585faac028c1598f0
-
Filesize
45KB
MD592374656376d5541ee3ad20c8d1bdf38
SHA15f7422246defc547d6d5f770bbd41336e43bf299
SHA2565f9eb83d4632d4ad4e9b9b7de59765714aca6b35f4ec635e1f11405b70b98bd1
SHA51254e69bc2cf49fc3b6850b74b0b0012e2732bbc57c4905866dcd6f6acca62bc284d1e61ed2c86408515d9ceff73203a890a323a49b4a19d52c4bc1e1a036c5a4b
-
Filesize
45KB
MD5ce06fd118271b3de36a7a8daf8a02464
SHA131a5832d7d6cb34c4241d41fd6cb056c1b41fd32
SHA2564493c5c95f1d05b8dec6ac126e9c678e3d2f645dd3ad61e0724201442b1e2293
SHA5122ac89098b09570e508f4d1dde7041856f17021504e6810030c0421feb5b2d2be510143b689bcbdf55f55503fe9ca071f23d3135f0e4c3e7390f257f7d2207521
-
Filesize
45KB
MD54f6e1923f4fd563cc9ff93315c5e955a
SHA154ae0ea2498acb54673aeda5312e987018fa11dc
SHA256015dfc6fd876d90e9809ca45af139e2bd875d976f6739a60fadb5f9223935026
SHA512ddc6205f7087ea95eedecc57ce564b63a1b7fb24142b4a5a609d98f1e9adb297296bad36079486f3cd308b96faf89fb57792bef0dfa4e93d3bd4c1a15d12e23e
-
Filesize
45KB
MD5f691c2286b3f10b5911d4d73b4d5749e
SHA167b7c4251e555b84bc606384078ddcb3ea64c88b
SHA256f40e8497cd0e8b0cf5b458639942ca2ee148094da6b292bc7369373617fd3cd5
SHA51273f8e1d4e456e651eb9dfeac3209654f3d27d8ae943765ba82a2e3ea97885e94c7a90785c1d557d8596a3f206c410ed3c40adb6ac783436fff69b5656240b546