Malware Analysis Report

2025-08-11 00:04

Sample ID 240525-15m3qsch63
Target 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54
SHA256 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54

Threat Level: Known bad

The file 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visibility of file extensions in Explorer

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Detects executables built or packed with MPress PE compressor

Detects executables built or packed with MPress PE compressor

Disables use of System Restore points

Disables RegEdit via registry modification

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System policy modification

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-25 22:14

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 22:14

Reported

2024-05-25 22:16

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Windows\xk.exe
PID 2912 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Windows\xk.exe
PID 2912 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Windows\xk.exe
PID 2912 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Windows\xk.exe
PID 2912 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2912 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2912 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2912 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2912 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2912 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2912 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2912 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2912 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2912 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2912 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2912 wrote to memory of 328 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2912 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2912 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2912 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2912 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2912 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2912 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2912 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2912 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2912 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2912 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2912 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2912 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe

"C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/2912-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\services.exe

MD5 4eae1eef38400d1e90011f887c700932
SHA1 172988046bc829608da1865c5d1c942aa22493d6
SHA256 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54
SHA512 3b61e37f0129b4163f21834cd82afe5bca4a1e431164e2065fe729d7293e38ef9a66297d2bcd9fb8822fd0921f7a10cc8f47ecb3fdca4cb6a95501a4f08f16df

memory/2912-109-0x0000000000540000-0x000000000056E000-memory.dmp

C:\Windows\xk.exe

MD5 d708fa901e2991c436d54453d58dd3fc
SHA1 93f7ee3e0fdff444343794c96accbff99befbeb7
SHA256 a806201ac1da4963163c7834426191f97cd11c2a3ac1ade9f2c3e5b2d765c3c2
SHA512 177865267d71acef0c84c9980824b57af91f232b5d3319d1d91a212206e3378d0e7bdd0ff3d6e55447a5adb5998617c9f5e302f7ace9e5eb2646451164379b66

memory/2912-108-0x0000000000540000-0x000000000056E000-memory.dmp

memory/1920-111-0x0000000000400000-0x000000000042E000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 f691c2286b3f10b5911d4d73b4d5749e
SHA1 67b7c4251e555b84bc606384078ddcb3ea64c88b
SHA256 f40e8497cd0e8b0cf5b458639942ca2ee148094da6b292bc7369373617fd3cd5
SHA512 73f8e1d4e456e651eb9dfeac3209654f3d27d8ae943765ba82a2e3ea97885e94c7a90785c1d557d8596a3f206c410ed3c40adb6ac783436fff69b5656240b546

memory/1920-115-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2072-123-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2072-126-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 4f6e1923f4fd563cc9ff93315c5e955a
SHA1 54ae0ea2498acb54673aeda5312e987018fa11dc
SHA256 015dfc6fd876d90e9809ca45af139e2bd875d976f6739a60fadb5f9223935026
SHA512 ddc6205f7087ea95eedecc57ce564b63a1b7fb24142b4a5a609d98f1e9adb297296bad36079486f3cd308b96faf89fb57792bef0dfa4e93d3bd4c1a15d12e23e

memory/2400-136-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2400-137-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 1f5e42eaaf4ba5ceb943efe7d79fe1b7
SHA1 7520979954e0e9e5a6b8cd7a471a28382df3cf86
SHA256 37b37951adf15b74e9ac68024afa75fb153396a5341daebc8f671d6951090291
SHA512 79c7fce12d045bf53950815b55b5d5dbbedfe72f69d36aeca1935fb82c73d1c622b701c26619353c6ecd925f9586809ecc7009fb4be686480c806e6a82ae87cc

memory/328-145-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 92374656376d5541ee3ad20c8d1bdf38
SHA1 5f7422246defc547d6d5f770bbd41336e43bf299
SHA256 5f9eb83d4632d4ad4e9b9b7de59765714aca6b35f4ec635e1f11405b70b98bd1
SHA512 54e69bc2cf49fc3b6850b74b0b0012e2732bbc57c4905866dcd6f6acca62bc284d1e61ed2c86408515d9ceff73203a890a323a49b4a19d52c4bc1e1a036c5a4b

memory/328-151-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2912-156-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2068-161-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 37988b2bfc167881a2489481f9c13954
SHA1 ab85e0492e024aad5370c17e2420996096d865cf
SHA256 512d4b99172f04f86adf9725c330ce73a634f463688b4c70293533c7a2e5f1cf
SHA512 71a74dc8950f7713ee875704aa3f7141377ad234b3ee4ebcfb2fed24f46c2bb817c6e44163dfc659b36d0e78d019081d227f142b94c2926585faac028c1598f0

memory/1568-169-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1568-172-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 ce06fd118271b3de36a7a8daf8a02464
SHA1 31a5832d7d6cb34c4241d41fd6cb056c1b41fd32
SHA256 4493c5c95f1d05b8dec6ac126e9c678e3d2f645dd3ad61e0724201442b1e2293
SHA512 2ac89098b09570e508f4d1dde7041856f17021504e6810030c0421feb5b2d2be510143b689bcbdf55f55503fe9ca071f23d3135f0e4c3e7390f257f7d2207521

memory/1248-182-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2912-181-0x0000000000540000-0x000000000056E000-memory.dmp

memory/2912-180-0x0000000000540000-0x000000000056E000-memory.dmp

memory/1248-186-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2912-188-0x0000000000400000-0x000000000042E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 22:14

Reported

2024-05-25 22:16

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4388 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Windows\xk.exe
PID 4388 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Windows\xk.exe
PID 4388 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Windows\xk.exe
PID 4388 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4388 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4388 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4388 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4388 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4388 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4388 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4388 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4388 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4388 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4388 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4388 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4388 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4388 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4388 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4388 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 4388 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 4388 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe

"C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4388-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 4eae1eef38400d1e90011f887c700932
SHA1 172988046bc829608da1865c5d1c942aa22493d6
SHA256 5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54
SHA512 3b61e37f0129b4163f21834cd82afe5bca4a1e431164e2065fe729d7293e38ef9a66297d2bcd9fb8822fd0921f7a10cc8f47ecb3fdca4cb6a95501a4f08f16df

C:\Windows\xk.exe

MD5 b3d569fd8d3fe816bce3bec44de87f0c
SHA1 0387bcf13d2d562d9f326ea277833f151a213647
SHA256 dd66aeac3e21a3fbafec51876dc181edff98a6170f3c13aa352913723e69854e
SHA512 eb7c25980f073ae81a10c760dc59a81c982f95032c565243242b5acfdf718f41b6bd9ef1a8a7cbd66686e525d1ffffffab0e4a58bf2e1beae9ddd38fbfb13ff5

memory/1724-107-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 e9c5413f77e1af8dd6f89b0a5c6a13d2
SHA1 f2666b1b9a375c4d752a719b6fbd7eeca23b0480
SHA256 9e4f333d8235e0171d801cf3116234e6884e942d01a0faac5b97135b5274322f
SHA512 0e383c4cc8a39c1dc436179ac84eec069f3e422863fa1d47605bcb7f6b8af62f6d207409de32f3c9be949c8f98b1760a4a935a25e4fff52685367db780fc0db7

memory/1724-113-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2268-119-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 c87e6ba06cfd691f716d75d6ff8e7f48
SHA1 1c4c3a318e5a5aa1394fdcc05ac7fdf804190662
SHA256 d959b5fbeced78bdae9710f7b0e5d79593bc9a3ea002acbe4a30565e34001ad1
SHA512 5ad906ea775cc457fba9b090c539ff3f9f7854f23ce3c7e9d8090de190c85276b952be91e82abef433f25b01a1d98b30ffd1571bbd808d8150f635d8dd6de49d

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 6ca525e3e833ca6bc0e11488e22863d9
SHA1 61bf9528de29638e048f59fe2fde9ec76ed68b78
SHA256 5ec1f841e3179c36a12786f0c12107426d58a39d1292b1ef524084a102b48f13
SHA512 b5eb7d10321d80da5c355f04ce094c0de45a2be292804076963c5b01d1aa24dad8be1caaa4d954775e88c420df5da474efccb98a989016d08e7b24beda20698e

memory/4668-127-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3536-133-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 495c7c969724a5e4265b49eb4dc6adb1
SHA1 bf8bf19ace31a35373eae0e3317eafed0289c0f7
SHA256 67a136377f523e6c3b0536c578e9c5328285e08725bd1a419be6e7f4398f8421
SHA512 d1cb7e0fdc14019e301b63aea7d40d190f9e4b580b890f0728dd29793268f6d47baca980354b8c2ce5cdbc8db6c0b8cfe3efc61f5aab5f1320335e950e242834

memory/608-140-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 4e2c2bc2e086de273f574deaf3bc394d
SHA1 fbf6ecc1b1a790a8e3c793c1610c2de39ec56a4e
SHA256 c640c05ce95da18c9f35174fdc0fdd25ddbe99a5c43ed380978086888c27fd2f
SHA512 feeb012f518888c51aee47dd139dc0c256117515048824a1f685083118924049f84f3010cdfc32713850cb65a68af31d2e7476101f9cb35e2c9f919a7371214c

memory/1496-148-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 fccb4bd5998eb636d14aa784b5ca4d43
SHA1 21ac50f2d23d2e12f2749c7879167d26c8c1881b
SHA256 9155a1d579eede6d3003e091a42f68b8433ff9ca4aea466a8b997ab2a3742173
SHA512 d928dd6683ef9ed805ccd9099006c61b4493e60d6bab7bb8dab99bf56fcbfb48fb478f353568dde14c74eb7cd060121975e20985e843201eff489ec50d7e8c4c

memory/4240-154-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4388-156-0x0000000000400000-0x000000000042E000-memory.dmp