Malware Analysis Report

2025-08-05 19:16

Sample ID 240526-eew23adh6x
Target dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93
SHA256 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93

Threat Level: Known bad

The file dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visibility of file extensions in Explorer

Detects executables built or packed with MPress PE compressor

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Detects executables built or packed with MPress PE compressor

Disables RegEdit via registry modification

Disables use of System Restore points

Executes dropped EXE

Modifies system executable filetype association

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Control Panel

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 03:51

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 03:51

Reported

2024-05-26 03:54

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Windows\xk.exe
PID 1720 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Windows\xk.exe
PID 1720 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Windows\xk.exe
PID 1720 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Windows\xk.exe
PID 1720 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1720 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1720 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1720 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1720 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1720 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1720 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1720 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1720 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1720 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1720 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1720 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1720 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1720 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1720 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1720 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1720 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1720 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1720 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1720 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1720 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1720 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1720 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1720 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe

"C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/1720-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 2835b0b18d506ee17195779b74fd5efb
SHA1 22fee58891fccfb3acfa278d376e28be5f8726d7
SHA256 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93
SHA512 df68607e4403a1d1330b46cb98da4bbb593f510b4bba99a2ba400139a315501b4374fcf2187480b0716b0474291018c81b730c6538cc1a54486f5e9a9b40885c

memory/2332-111-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1720-110-0x0000000002520000-0x000000000254E000-memory.dmp

C:\Windows\xk.exe

MD5 d7deea285920b9b5ec4ea5ad9bf70941
SHA1 d9623a424025056dbc1454f70d638bf530ca0cff
SHA256 c9bc4f226cf1fa1379cafa44adf7542b3587798ba44b8f0c5a5ba799e3e7aad2
SHA512 d48d050ad4c9d24ad3e778f8d7e6fbd81c50a19336a8b8d3228895cdbb852072a221064cbdf2b0f74dab24203dcd81ae537888dc48c2cbd90183d09b078fa511

memory/2332-114-0x0000000000400000-0x000000000042E000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 62627a96a0ad5ac26f930cc8d5356c35
SHA1 06141054829c3c36cb14eeab15e30606951bb924
SHA256 727ad227afa3362e5e16776edb5c6a06ecfa9db39fe4e9422083083498423d99
SHA512 85efdceffb3786412e6dbc7cc52c249193c9b763fe1f0b04e2930bb28c2a0d21d00f6cf827b0f94cace468a9b3b80ebce4ce9287907bf6789453e94d0cb145f2

memory/2496-122-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2496-125-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 5cc2f01aec8c0543eabed83592ed878e
SHA1 0b97f8d4c78040494bc6f5af7a3958ba78ae373e
SHA256 06a37d24e65c75e6a5a87c990dccb62c73476d2d3118c52933900550923b3bd7
SHA512 28b290b881d1f07068b226a20fdf2e312bf455bad1a48372be16fd796625bd00b4e68abf89ef3c6b1a5602a29223be1b1605c885e537c69b18dc933fe8d5d4f6

memory/2300-135-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 70a1b4ffe5bd642e5524fd6812992ab4
SHA1 7b0fb1c8e3e654a00cd83c385faf6d339569d29e
SHA256 2194d6b56c39d6449ac2af37e14ed5bb703a7706822be6ba648fe4b0969a958c
SHA512 057a81b4bfd83ffb40e191b059544f3c44af900bde23d4a7defb953d24faa6e9dc4b1a635a8941341ee0b31f61d38e588ffd02685c32300659eac38881da01b9

memory/2300-137-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 3852c85af939ae35624e9743e59b8aa6
SHA1 a7a6635435deb35daf9f4cf30111ae65933ab891
SHA256 ad3a88fd8fce2f576d60e1d89791a66a4c9f2279c0438cd6e06b923cfaafc6df
SHA512 a0e071f617ea72c4942ecac7f83e0cf67f66bbb1b53d9b5ad436f1e9e25ed34e796b0421f984bef9ad5aa885e5c274b24b98bc9fa1089b1cc1aef020453f2921

memory/1664-150-0x0000000000400000-0x000000000042E000-memory.dmp

memory/760-159-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1720-157-0x0000000000400000-0x000000000042E000-memory.dmp

memory/760-161-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 9d669fc6ea195329dfca2bda16a8f6e4
SHA1 49ba9dd41642749cb235dce02292bc0df8e1213c
SHA256 280b51b67cfd828c826e61c4ddf4c97225c1bd0bba5a45a140df04bc665b0079
SHA512 d1fbf73e78f3ca3a52b308bb80b802fcb6e61db67bd12112009eaa56bd36d0125b557d1a732043f197f00de77b31ad21bf073d2fd0dc28085f1b279e62985253

memory/2444-171-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 7e0f131f643fc35864884b60acc9bc29
SHA1 6e94d31a3032d4888cfbd04e4d83fd3211e1d1ed
SHA256 766249c372a13a49f72f26b4bfb90897e5526642121114bf333620a371afd81c
SHA512 2b53ac7ab942f44e610d8a62e21c290c064a9cafd7df30ed5eff5c630c8970b4a6a094a2769147b549a45868172b645d4c172e0c72efd9dd5ff88aac3f636eeb

memory/2704-183-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1720-182-0x0000000000400000-0x000000000042E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 03:51

Reported

2024-05-26 03:54

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Windows\xk.exe
PID 2340 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Windows\xk.exe
PID 2340 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Windows\xk.exe
PID 2340 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2340 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2340 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2340 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2340 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2340 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2340 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2340 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2340 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2340 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2340 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2340 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2340 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2340 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2340 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2340 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2340 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2340 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe

"C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2340-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 2835b0b18d506ee17195779b74fd5efb
SHA1 22fee58891fccfb3acfa278d376e28be5f8726d7
SHA256 dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93
SHA512 df68607e4403a1d1330b46cb98da4bbb593f510b4bba99a2ba400139a315501b4374fcf2187480b0716b0474291018c81b730c6538cc1a54486f5e9a9b40885c

C:\Windows\xk.exe

MD5 6aae7800264cd455514e6dc707abb33d
SHA1 0340e043c29bfe242a19bd2e7b4f848c17822497
SHA256 87f13175c6c7c8a98ccf7a63c336a9775a9ffe8031af8f6e081f511245e9e0ad
SHA512 3f13549491d0f7e566c00bdc35081b01cf513085354489bd30c497951388ec66508adc321653e68969d7bc6d7b3a27353d8f0d6e49f3e3a048b5385dcb58be27

C:\Windows\SysWOW64\IExplorer.exe

MD5 81c3e4d144481943e744a51f7d5704d7
SHA1 6c1da16e8c9d441795a8a063029c516af6e32a9c
SHA256 d7e82662fb681e17b1294f65c3284e371d2d7c6acc3b4858708085bc19484f51
SHA512 d18ed055bcefb5ae4f7acf20499ba6fdbaccc95a473eefcec7d163f16312507a3bb7c697c755fb636845f525c225fb677a811585958c3fd8cdee49b5683217a8

memory/1600-111-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

MD5 c436b301f9588ff17d835b76e98731ca
SHA1 d9bb7696ef72698defaa42b63fcec42dd9a0798c
SHA256 ab0d36a5911cbb89f89e3356fc8815364db9b7efa182c23ccabbeff2d8bc4e0e
SHA512 9a9a8299f67447acebb5ea7c2476faeb4fb917b052490778519bb4370842995924c6305944df2e27c139571b68c7b1b47f95bb98e2713784e10e3ce7afb7d93e

memory/3016-122-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4208-121-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3016-126-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 a5c3a51c086f63c9dd44c35e3dc9228c
SHA1 da79eda929540760e40f83f28fcd8c3958228cdc
SHA256 af91cd9e3aa86a5c37468a6d66e0b6dbd25692902053639968604902a85045a1
SHA512 6f66de9033667541f77b1d89527c16eff6159b838971913b42133d181f2cdfc28291112e166bc951a7c1ce3c8b680063bff488d7cbaae96d786d7e9e5a99ac5e

memory/2480-131-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 9438b88fbf174389c124d6301269cbcb
SHA1 dd22bd0f6b3d07ce9d2a8a328b9d561d66b35101
SHA256 b4cc04309abd18cdd6dc29c5705b50595ce5ae687d0b44bc64a35d92e64742ae
SHA512 0686164ac898f2214e045a9732680422d23fdaa48a872ebe68b62515ebeeb2b1de792d95cd0007c7feca6217e5c05fc803b6d9e0fe9ec7634977ed931ac0129a

memory/4724-138-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 dde2b831ac85a7ffc2dda2fb7b156785
SHA1 696b79dc74918737c0eeb62aebb90191834f388f
SHA256 fb8cd369c7d908e3443c96ccc82c645b1928ee7a0aea064d37463c44d600e254
SHA512 5b8d2b9943330ab321193486a556ce34b798174148df1e5fbb249279cef113cf71d6765ce6dd7a36e3cbc66812f5627efd3683edb3b452ff4a9edb37df669095

memory/3652-144-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 47d20245560a6992ac6765f47a499709
SHA1 597753a105feeb4a7e8095b11c065c2cc1af42bb
SHA256 a94d3174c1f89913f952603829caa2d7b64622c4713437dcd0960f6b02b277b1
SHA512 d30a035a971e3cc46c450ef63f515f196ec72594a28b3dc5f9252b14d0f20379db256ea96fd3f82d22d521abab51db31883342e07c6c3e898bb1ee54e034e06d

memory/2340-153-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2492-151-0x0000000000400000-0x000000000042E000-memory.dmp