a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Size

91KB
MD5

5b55d07ee1a06e0e149f7a12031ea5e1
SHA1

dca66ca8c269ea9ca355d6e0b3f3d1925db63faa
SHA256

a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05
SHA512

83491e7ed10c4125e9d9ff34abef77726d23e6e6166309b16224528c6f859dff936fa27d538859a99f6009bbc634855f1c1a570893c1d974f5d7341f3e6af60e
SSDEEP

1536:XRsjdLaslqdBXvTUL0Hnouy8VjERsjdLaslqdBXvTUL0Hnouy8VjYf:XOJKqsout9EOJKqsout9Yf

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe

UPX dump on OEP (original entry point) 22 IoCs

resource	yara_rule
behavioral1/memory/1300-0-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x00070000000155e2-8.dat	UPX
behavioral1/files/0x0006000000016d36-109.dat	UPX
behavioral1/memory/2848-114-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000016d55-116.dat	UPX
behavioral1/memory/2848-115-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/1300-117-0x0000000000720000-0x000000000074F000-memory.dmp	UPX
behavioral1/memory/1192-126-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000016d89-127.dat	UPX
behavioral1/memory/1496-139-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000016e56-145.dat	UPX
behavioral1/memory/2240-146-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/2240-149-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/1300-158-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x000600000001704f-157.dat	UPX
behavioral1/files/0x0006000000017090-169.dat	UPX
behavioral1/files/0x000500000001868c-173.dat	UPX
behavioral1/memory/2432-172-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/1528-180-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/1300-185-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/1528-184-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/1796-162-0x0000000000400000-0x000000000042F000-memory.dmp	UPX

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2848	xk.exe
1192	IExplorer.exe
1496	WINLOGON.EXE
2240	CSRSS.EXE
1796	SERVICES.EXE
2432	LSASS.EXE
1528	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1300-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00070000000155e2-8.dat	upx
behavioral1/files/0x0006000000016d36-109.dat	upx
behavioral1/memory/2848-114-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d55-116.dat	upx
behavioral1/memory/2848-115-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1300-117-0x0000000000720000-0x000000000074F000-memory.dmp	upx
behavioral1/memory/1192-126-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d89-127.dat	upx
behavioral1/memory/1496-139-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016e56-145.dat	upx
behavioral1/memory/2240-146-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2240-149-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1300-158-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000600000001704f-157.dat	upx
behavioral1/files/0x0006000000017090-169.dat	upx
behavioral1/files/0x000500000001868c-173.dat	upx
behavioral1/memory/2432-172-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1528-180-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1300-185-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1528-184-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1796-162-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
File created	C:\Windows\SysWOW64\shell.exe	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
File created	C:\Windows\SysWOW64\Mig2.scr	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\xk.exe	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
File opened for modification	C:\Windows\xk.exe	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
2848	xk.exe
1192	IExplorer.exe
1496	WINLOGON.EXE
2240	CSRSS.EXE
1796	SERVICES.EXE
2432	LSASS.EXE
1528	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2848	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	28
PID 1300 wrote to memory of 2848	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	28
PID 1300 wrote to memory of 2848	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	28
PID 1300 wrote to memory of 2848	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	28
PID 1300 wrote to memory of 1192	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	29
PID 1300 wrote to memory of 1192	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	29
PID 1300 wrote to memory of 1192	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	29
PID 1300 wrote to memory of 1192	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	29
PID 1300 wrote to memory of 1496	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	30
PID 1300 wrote to memory of 1496	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	30
PID 1300 wrote to memory of 1496	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	30
PID 1300 wrote to memory of 1496	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	30
PID 1300 wrote to memory of 2240	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	31
PID 1300 wrote to memory of 2240	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	31
PID 1300 wrote to memory of 2240	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	31
PID 1300 wrote to memory of 2240	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	31
PID 1300 wrote to memory of 1796	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	32
PID 1300 wrote to memory of 1796	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	32
PID 1300 wrote to memory of 1796	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	32
PID 1300 wrote to memory of 1796	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	32
PID 1300 wrote to memory of 2432	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	33
PID 1300 wrote to memory of 2432	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	33
PID 1300 wrote to memory of 2432	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	33
PID 1300 wrote to memory of 2432	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	33
PID 1300 wrote to memory of 1528	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	34
PID 1300 wrote to memory of 1528	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	34
PID 1300 wrote to memory of 1528	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	34
PID 1300 wrote to memory of 1528	1300	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe

C:\Users\Admin\AppData\Local\Temp\a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe
"C:\Users\Admin\AppData\Local\Temp\a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1300
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2848
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1192
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1496
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2240
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1796
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2432
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
48b8b57199a50abd5a30f28bc75f73df

SHA1
aefbd7c82e3e1451567815c7b6f8d01cce3ef72f

SHA256
27151094ce3f02181f5e291183ad0874393aa6a3a36877b286dfc4018541f6c2

SHA512
81c2afd078c697d2024d1193b68a56f7eaaec7dcea86107823b2aa59ef41849f2a8e8ce75febc738b62c4da89be57fced3a5932c54d67c0463a07cefa8fe9321

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
7439b603c594efc095615d09393be762

SHA1
2c2d701cee49171543f7cf5dc820d9813ddcc745

SHA256
bfee86c7a136b2f694708891df29a81d16775afc728ea520277f9e5eb04920b5

SHA512
36ba96f4a11a8df75b701fbabacd8942b9418a53bba57945005090b08bea1569bd981740eaaa4f3f168be74efe7b0501df6f63e1c6ff3f9a1596b9c94804043d

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
aee2b320aa9f307ab73f1784543249c4

SHA1
bc5168c5255dffe827383a458b5cf323731b8a77

SHA256
236831eb87d8255e376110e544b2b35b72098fb3f5928685df4bcb82a804decb

SHA512
81cfd8cc6ad3780eea141de75ec00c62fbc76c2ee4bc4f3ebc86acdee735bbeb637a81b67f6c5c70d0ebc1050a5f7f58e7e774048a38c4ee0e291f7b836a9298

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
5b55d07ee1a06e0e149f7a12031ea5e1

SHA1
dca66ca8c269ea9ca355d6e0b3f3d1925db63faa

SHA256
a026042dc2e48257fbf609822d8d9e396ef272a351e9f9ae26d2a825b9a80a05

SHA512
83491e7ed10c4125e9d9ff34abef77726d23e6e6166309b16224528c6f859dff936fa27d538859a99f6009bbc634855f1c1a570893c1d974f5d7341f3e6af60e

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
b335f3c4298892b4414da4268d631651

SHA1
56f0ef33b159e248b12969f1f61a8c6e7e10989a

SHA256
1436068572f9eda84118805b0f8bc5b81e553d97b155ded09486e88077ff0406

SHA512
3dd68e1e5178c4cc92c199bd74c27b8a7b561a97635169ab460b569762e40256d698ce8a04a974991a252dee79c6583fd7f5046a6b59ebb1a68dd2aedd5a4a4e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
a326e90b1576ee346dfc6868d102bb02

SHA1
782f455e4035ed8d7e5e9e5a00cb010a517a1fe8

SHA256
fb901ff7659babf651abf650ed1abfa72d8b1c0e0b353c8fe4edf89ecb964dea

SHA512
aa3e765da7e0c1059026723b78127040c966bd7661a1e808c882a972995f04f67cf46433a1ce6bbd44d0783bfa7e5a9f0672db1486cfce4d2dcc59374b8efc6f

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
625e4acb598d86b7f22a2446747a2417

SHA1
3c5d2c05d68ffb78978df82d83b9501d63ba25ec

SHA256
8f3dc1d9717ccb4424a62e270b89dedbe20dc2b28b77101b9a2daf91ff07cd33

SHA512
2a879db1707b193868a7cbac3955c3a41cf348a4e1d1047408e174d959c3f0dcfd6ec5d853be93440e3518c5c82eacbee7e6cfc7f8219da7c186a195c9da0007

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
ee7713e2dc99eee3e928df0470e56161

SHA1
fba5e832967f1f27cf8405780e40b122581c2bb8

SHA256
e7f075f41ce103c8d00d80e5c44b98974eff1dc6ed82a59a558d57d1eb50c245

SHA512
2ce5154f786b08e08bb4ba0b04dffe708258c7c27db7e5f7ec16d0c7f3a727a2596a9617f57b970459cb2e2a258e289ecd910cc94848a8cee9f2467f1e7c1bb3

Download Submit
memory/1192-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-156-0x0000000000720000-0x000000000074F000-memory.dmp

Filesize
188KB

Download
memory/1300-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-134-0x0000000000720000-0x000000000074F000-memory.dmp

Filesize
188KB

Download
memory/1300-185-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-117-0x0000000000720000-0x000000000074F000-memory.dmp

Filesize
188KB

Download
memory/1300-110-0x0000000000720000-0x000000000074F000-memory.dmp

Filesize
188KB

Download
memory/1300-158-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-112-0x0000000000720000-0x000000000074F000-memory.dmp

Filesize
188KB

Download
memory/1496-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2240-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2240-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2432-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-114-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download