Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/05/2024, 22:26
Static task
static1
Behavioral task
behavioral1
Sample
639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe
Resource
win10v2004-20240426-en
General
-
Target
639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe
-
Size
45KB
-
MD5
636e5a04688045b7bb9e766678779042
-
SHA1
ee262b0581b7504b8705ba9943b62f25fa9208fd
-
SHA256
639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f
-
SHA512
96fba92a7da299d8a2c90c3c91eac6b8852fc13a3e56ade7c94d0cf95d5aab4eaef13ca683c6406c0bb8321633b8a6f6a86f5ba1dd2a99260fb2f8ccf3f5a25c
-
SSDEEP
768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nEE:8AwEmBj3EXHn4x+9aE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Detects executables built or packed with MPress PE compressor 45 IoCs
resource yara_rule behavioral1/memory/2076-0-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0007000000014738-8.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0009000000014a94-109.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2420-114-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c0d-113.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2796-122-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2796-125-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c2f-126.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2076-133-0x0000000002780000-0x00000000027AE000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/312-136-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c3c-137.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1344-144-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1344-147-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c52-148.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2076-150-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/368-156-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/368-159-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c5d-160.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/748-169-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c69-170.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2292-199-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0009000000014a94-237.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2076-233-0x0000000002780000-0x00000000027AE000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/3008-239-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/3008-244-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c0d-242.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c2f-252.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2988-259-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2904-266-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1684-275-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2076-273-0x0000000002780000-0x00000000027AE000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2076-272-0x0000000002780000-0x00000000027AE000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c3c-271.dat INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c52-278.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/1684-281-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2076-290-0x0000000002780000-0x00000000027AE000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2076-289-0x0000000002780000-0x00000000027AE000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2076-286-0x0000000002780000-0x00000000027AE000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/1148-293-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c5d-294.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/2076-296-0x0000000002780000-0x00000000027AE000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/files/0x0006000000015c69-304.dat INDICATOR_EXE_Packed_MPress behavioral1/memory/3024-312-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/3052-316-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral1/memory/2076-466-0x0000000000400000-0x000000000042E000-memory.dmp INDICATOR_EXE_Packed_MPress -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 14 IoCs
pid Process 2420 xk.exe 2796 IExplorer.exe 312 WINLOGON.EXE 1344 CSRSS.EXE 368 SERVICES.EXE 748 LSASS.EXE 2292 SMSS.EXE 3008 xk.exe 2988 IExplorer.exe 2904 WINLOGON.EXE 1684 CSRSS.EXE 1148 SERVICES.EXE 3024 LSASS.EXE 3052 SMSS.EXE -
Loads dropped DLL 24 IoCs
pid Process 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\desktop.ini 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File created C:\desktop.ini 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened for modification F:\desktop.ini 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File created F:\desktop.ini 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\N: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\T: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\Z: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\G: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\P: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\Q: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\R: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\U: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\V: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\W: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\Y: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\H: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\I: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\J: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\M: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\X: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\B: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\E: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\K: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\O: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened (read-only) \??\S: 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Drops file in System32 directory 20 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell.exe 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File created C:\Windows\SysWOW64\IExplorer.exe 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File created C:\Windows\system32\perfh00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfh011.dat OUTLOOK.EXE File created C:\Windows\system32\perfc009.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfh010.dat OUTLOOK.EXE File created C:\Windows\system32\perfc011.dat OUTLOOK.EXE File created C:\Windows\SysWOW64\Mig2.scr 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened for modification C:\Windows\SysWOW64\Mig2.scr 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File created C:\Windows\SysWOW64\PerfStringBackup.TMP OUTLOOK.EXE File created C:\Windows\system32\perfc007.dat OUTLOOK.EXE File created C:\Windows\system32\perfh009.dat OUTLOOK.EXE File created C:\Windows\SysWOW64\shell.exe 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI OUTLOOK.EXE File created C:\Windows\system32\perfh007.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfc010.dat OUTLOOK.EXE -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\xk.exe 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe File created C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File opened for modification C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File created C:\Windows\inf\Outlook\0009\outlperf.ini OUTLOOK.EXE File opened for modification C:\Windows\xk.exe 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" OUTLOOK.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046}\ = "_AttachmentSelection" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E3-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067355-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063045-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063045-0000-0000-C000-000000000046}\ = "Recipient" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063005-0000-0000-C000-000000000046}\ = "_Inspector" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FB-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\ = "_RuleCondition" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C2-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C9-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}\ = "OlkCategoryEvents" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063105-0000-0000-C000-000000000046}\ = "AccountsEvents" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063073-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630ED-0000-0000-C000-000000000046}\ = "_JournalModule" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}\ = "_TextRuleCondition" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DD-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063047-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063078-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D4-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\ = "ItemEvents" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063026-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\ = "_Rule" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\ = "_Stores" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307F-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309C-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}\ = "_NavigationModule" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304F-0000-0000-C000-000000000046}\ = "ExplorerEvents" OUTLOOK.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2844 OUTLOOK.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2844 OUTLOOK.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2844 OUTLOOK.EXE 2844 OUTLOOK.EXE 2844 OUTLOOK.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2844 OUTLOOK.EXE 2844 OUTLOOK.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 2420 xk.exe 2796 IExplorer.exe 312 WINLOGON.EXE 1344 CSRSS.EXE 368 SERVICES.EXE 748 LSASS.EXE 2292 SMSS.EXE 3008 xk.exe 2988 IExplorer.exe 2904 WINLOGON.EXE 1684 CSRSS.EXE 1148 SERVICES.EXE 3024 LSASS.EXE 3052 SMSS.EXE 2844 OUTLOOK.EXE -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2420 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 28 PID 2076 wrote to memory of 2420 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 28 PID 2076 wrote to memory of 2420 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 28 PID 2076 wrote to memory of 2420 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 28 PID 2076 wrote to memory of 2796 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 29 PID 2076 wrote to memory of 2796 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 29 PID 2076 wrote to memory of 2796 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 29 PID 2076 wrote to memory of 2796 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 29 PID 2076 wrote to memory of 312 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 30 PID 2076 wrote to memory of 312 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 30 PID 2076 wrote to memory of 312 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 30 PID 2076 wrote to memory of 312 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 30 PID 2076 wrote to memory of 1344 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 31 PID 2076 wrote to memory of 1344 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 31 PID 2076 wrote to memory of 1344 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 31 PID 2076 wrote to memory of 1344 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 31 PID 2076 wrote to memory of 368 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 32 PID 2076 wrote to memory of 368 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 32 PID 2076 wrote to memory of 368 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 32 PID 2076 wrote to memory of 368 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 32 PID 2076 wrote to memory of 748 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 33 PID 2076 wrote to memory of 748 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 33 PID 2076 wrote to memory of 748 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 33 PID 2076 wrote to memory of 748 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 33 PID 2076 wrote to memory of 2292 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 34 PID 2076 wrote to memory of 2292 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 34 PID 2076 wrote to memory of 2292 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 34 PID 2076 wrote to memory of 2292 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 34 PID 2076 wrote to memory of 3008 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 35 PID 2076 wrote to memory of 3008 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 35 PID 2076 wrote to memory of 3008 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 35 PID 2076 wrote to memory of 3008 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 35 PID 2076 wrote to memory of 2988 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 36 PID 2076 wrote to memory of 2988 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 36 PID 2076 wrote to memory of 2988 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 36 PID 2076 wrote to memory of 2988 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 36 PID 2076 wrote to memory of 2904 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 37 PID 2076 wrote to memory of 2904 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 37 PID 2076 wrote to memory of 2904 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 37 PID 2076 wrote to memory of 2904 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 37 PID 2076 wrote to memory of 1684 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 38 PID 2076 wrote to memory of 1684 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 38 PID 2076 wrote to memory of 1684 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 38 PID 2076 wrote to memory of 1684 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 38 PID 2076 wrote to memory of 1148 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 39 PID 2076 wrote to memory of 1148 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 39 PID 2076 wrote to memory of 1148 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 39 PID 2076 wrote to memory of 1148 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 39 PID 2076 wrote to memory of 3024 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 40 PID 2076 wrote to memory of 3024 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 40 PID 2076 wrote to memory of 3024 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 40 PID 2076 wrote to memory of 3024 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 40 PID 2076 wrote to memory of 3052 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 41 PID 2076 wrote to memory of 3052 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 41 PID 2076 wrote to memory of 3052 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 41 PID 2076 wrote to memory of 3052 2076 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe 41 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe"C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2076 -
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2420
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2796
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:312
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1344
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:368
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:748
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2292
-
-
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3008
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2988
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2904
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1684
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1148
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3024
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3052
-
-
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2844
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD56bee9adce38c3d5f68b747c8b20b8128
SHA147b9c2951a719685a1c2c66dce786a87c3973f90
SHA2563253e607b66e9fbe3deb5ae9e79b3965aee7439735cedca3f58ab56f4120b8ec
SHA5127fae9b7736af5c4ef9e620a1564b956dee91f40fc5cc68fd0211eb281c88eeb63f0522aeca177f38c1d74eb8c2bf5da67b8ec34155977dbca3ad4c02fd453796
-
Filesize
240KB
MD56fc0e53c359f3b0ebab08c034a3f9fbd
SHA1f7bba75f3d1ddd0fffc5f6404c94823bf570c313
SHA256afb525267b7024f9585f0c31335718eb8f66d1ddc8c1afa785c8928b803f19ca
SHA512af15ca8354c0882a9b8e92c0a008278e060145b02eebf4d13496da0ff8e217e61fbee1462d2932d0e75bef32d0582c48096a2e3c5044e797a8a51bfbc967b7eb
-
Filesize
1KB
MD548dd6cae43ce26b992c35799fcd76898
SHA18e600544df0250da7d634599ce6ee50da11c0355
SHA2567bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a
SHA512c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31
-
Filesize
45KB
MD5a5a21dcd25f3f6b405179f49bc2655a8
SHA160c326bb9abdaea2d4a07e187179e58cd93d7987
SHA2566adb266cf65839b59a8a2edd227ac3fb576252af3387767bfd8ec4784cc472dd
SHA512ce4c74eac6f46e92c69051b40a9ca266982cb98009f07308efb409475b8ca434eb3a193f9466f62dbe61f1e33ba482d5d73ab018ec8f9f5c62368c520c32f02a
-
Filesize
45KB
MD5636e5a04688045b7bb9e766678779042
SHA1ee262b0581b7504b8705ba9943b62f25fa9208fd
SHA256639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f
SHA51296fba92a7da299d8a2c90c3c91eac6b8852fc13a3e56ade7c94d0cf95d5aab4eaef13ca683c6406c0bb8321633b8a6f6a86f5ba1dd2a99260fb2f8ccf3f5a25c
-
Filesize
45KB
MD5cbe3d85ef31aba51b8531122fbf756ea
SHA19cae6100ec56cce176d84a9e36b1ed1d6bcfaf43
SHA25648b675f8ec444e2c99383223490cc96d5af25ad2402b76af5f3cea82c89fe237
SHA51232e618bcdc35b3a7472380d58639cd9f460aeb6e3e33859d08a2283ac4b68f45b7140424fcf501c1c91c126f2fa6ab0b08cdc1bcdfe0bba5db56add718f23284
-
Filesize
45KB
MD556b428d340994f196376523a2d08d13f
SHA1b5019ed496cd52946cf1e821a9394b080924ab1c
SHA2565ee1aca367d31dba740e0ea23b988a5504b5ec2d549b42f169b81ca7df660a6a
SHA51211d9a3345c67bd8764644fde5c45b13602b4d1f442e5a47f3cc271056a41a49033ec69b7e60d2db8326ab61c681aadd2c5ed4080c03f95ab81ed30e06a94f151
-
Filesize
45KB
MD507336e97096a76d94da07929d5104aa4
SHA13852b49c868740b0204a698031ab583984a0f0cf
SHA2563936f0037a1f56ea94f7a30eece6f8d177ec22c1440f62cf144d655fd80a2b97
SHA51239e0efad82270416bd6d64b10c7467277827bed488d02a82e5627207a283ef6d81347a11a26f30feedfd32975533c943b58c02ece2ee48bb5657a8cfbe00dd5a
-
Filesize
45KB
MD5e164ea3d85b1a985a016817c4bdd7ae8
SHA1194db080b94c6fa75d60a802eb425c2ce06351b9
SHA2568733a7d556a8fbf4fbec41c0128f8331dbfe1a1a5e0b7ff7a05c07d4926568de
SHA512d68e47aaf30feeba58ceb185cec532db57bf13c901386875a9467306c9f324defb60c4ccbe100da387b3574a139d8aa45669aedf91732597a40b95fb80c97c3b
-
Filesize
45KB
MD5479dde8ef252c19ffcbec1f5359ab4bc
SHA1339234e36878b1cd0fe5bd168463c4e6d42464ed
SHA2567223c11e8a9ba856f7705875e39050fb0706e85f5ee938dbfc8668f78d2a07c0
SHA512bffc211153d5902ce4d56489a6fc5079ef5d24feb7bedbd8fde5d445488262b2072a7c0abfd78cb68ea4a7e49942e015d9840c427fb9306f38fae0392ed57da7
-
Filesize
45KB
MD59436fe8030e00c10f67135f9c520c713
SHA14d99734d61102bfdc789e2b52327206231208c7d
SHA256300a927abe37c346b35f5a2186c25ad64d48cb59a0bb14b86c517ff4b0a07b6d
SHA5129527b7d7ca77a0521ee1aadb3e092b6bd5c2b5368dd0c20fb7099950f72635af4d860badd49c9ceef52893585e08b668e63231bb8138fa2fe16a705b68e7b5c3
-
Filesize
45KB
MD566052f25952a48d05b980ae87518614d
SHA1088dce134bf1b83eac7350ee7a2bacb5a1d93d92
SHA256447dcc6a82ed9f8593c7123ec3aee527846b0b7028a1d79d1e91d71b4382e282
SHA5120a05196c831e920e8bee561c83cad182953cec8818756fb936186c198ec96ae18a7f0864e002ec13166ff5a63a45f244a45b8293e5f10c9b0eb843c15003e3aa
-
Filesize
45KB
MD59973b2c296a65c496b82a08aca5889ba
SHA1173581916d39edf8f5ac7bd9228a1b22f2ff30b1
SHA256929040754750a1edbedecbf0e7e225e251ce3a7992d5ac3f2203d3b1ef2c78ce
SHA51249ac35a53105dd608e678db74bdd9d0552ac2908c97e96f3f5b8400708da8b53b6543f284f166e4685f5d37acfd9dea46be6a8cef1b8e7b0aff1c846153c4b79
-
Filesize
45KB
MD57f7fad8079e534a15f12d2b2ff92ef49
SHA16924daff6b2483ffcf7eed31abc0aa6ed8897b85
SHA2569f4c7052253b67437d141e6ef95f3874fbb5f58c04f19d2a27141fb72dc8cc7b
SHA5120474c5f41f395df2898014cba4e029fa1fb19b0e866ea91073841a18358c6d72e9fd90c10c98c10c5db988233cb9a2a2c05e1beebb05378e039692bf8f5bebe8
-
Filesize
45KB
MD515227630e6034a235d6d9283367144b8
SHA1c4b9d179b68ae4130574adb4c76707d6305ab4cc
SHA256841ef5c3ec75c5f48577f1d3a91aa79524a6ad30958bef9c545c3b4f6543e7b1
SHA5123ccbcdc009ee39ee1c1c708c8faaede9622e68d9f940c97440ac1853ba9461edc63302c8e15d1ce3239110613a1f970b198235ff772b47a828ba9e70be766f81
-
Filesize
45KB
MD58cdb22cfe57ad631d89a9e9d8fc4bbcb
SHA19af7950ae759cfeea7142c0291874f3666face49
SHA256311c41ff1b7e89c6eef0e95a847ab2493d5853d2e74e427264a04e06f80c308d
SHA512cbe591e819f6f6799172232e4eb43cc58874dfbbe622280c59c53e6d7762d8729416b8b8b2cb85af43f9cffc6327b71b1cfa471b8755b6ab0a7f78338ab4e56b
-
Filesize
45KB
MD55e1bc18182d07d225e7d16be61471dd7
SHA1790f7ec1a0b6b29dc9af30a093878a08965ba4a6
SHA2568e4a64f0185bda47b20a8a17a7fba7e747b94869384f32c02faea92aed3f3734
SHA512c9a6668d0d0bf46b93acdbe9f84448a28b150729459c8bd40bbbe5ffa01afd21e74a2ddcb58c18534b760405309ffd2db7d722412eaaa1975ca9109bd5af9475
-
Filesize
45KB
MD5aae51a1187d5b84625a814897a8c3deb
SHA1030b7a0067d8fbc0dc1ef4e9ab3097f9cdf8a211
SHA256862dd064b44272c2663256066a57dab9879f34ccd42c9605600a38a0d4a7b148
SHA51231b04f7a896e4fa3bd534db447f817062ae29147ca27240fc6b44e93e442bd2c412937d83c35eb1078a8a9923734a9795af0e84c67cb65bd6e0c41a3e1f183fd