Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28/05/2024, 20:32
Behavioral task
behavioral1
Sample
3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Resource
win10v2004-20240426-en
General
-
Target
3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
-
Size
45KB
-
MD5
6eb19ae66d972318036d3db18d5d472a
-
SHA1
be8a4422b0e24543c2dcf77d573b68ff411e10cf
-
SHA256
3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2
-
SHA512
ebd9118fda8361dac4989a9da473122b60b9d0a85b3effc0893b65e2080dfe66fc673afd2c1937921eaa663723cfccb184ee4adc5b77b36cfcb2f611b21d988f
-
SSDEEP
768:CcMJOcV8OrUpdJ8WbqpD3TORaEXowekfKnl:yOcjUpkWb2TTgKwul
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" SMSS.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SMSS.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CSRSS.EXE -
Disables RegEdit via registry modification 16 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 56 IoCs
pid Process 4752 4k51k4.exe 5064 IExplorer.exe 3860 WINLOGON.EXE 1512 CSRSS.EXE 4916 SERVICES.EXE 4512 LSASS.EXE 2760 SMSS.EXE 4824 4k51k4.exe 2040 IExplorer.exe 2464 4k51k4.exe 5076 WINLOGON.EXE 3572 IExplorer.exe 2328 CSRSS.EXE 448 SERVICES.EXE 4476 4k51k4.exe 3268 4k51k4.exe 3792 LSASS.EXE 5068 IExplorer.exe 1096 IExplorer.exe 4192 4k51k4.exe 4316 WINLOGON.EXE 4272 SMSS.EXE 4488 4k51k4.exe 1140 WINLOGON.EXE 2928 WINLOGON.EXE 796 CSRSS.EXE 3564 IExplorer.exe 3224 IExplorer.exe 3408 CSRSS.EXE 3596 CSRSS.EXE 4812 4k51k4.exe 4516 WINLOGON.EXE 4088 SERVICES.EXE 8 IExplorer.exe 1748 SERVICES.EXE 5044 WINLOGON.EXE 1496 SERVICES.EXE 896 LSASS.EXE 3752 CSRSS.EXE 4552 WINLOGON.EXE 4784 LSASS.EXE 4780 LSASS.EXE 4580 CSRSS.EXE 1080 SMSS.EXE 2892 SERVICES.EXE 3548 SMSS.EXE 3592 SMSS.EXE 2816 CSRSS.EXE 3104 SERVICES.EXE 2392 LSASS.EXE 3336 SERVICES.EXE 4408 LSASS.EXE 960 SMSS.EXE 1876 LSASS.EXE 4400 SMSS.EXE 4296 SMSS.EXE -
Loads dropped DLL 7 IoCs
pid Process 4824 4k51k4.exe 2464 4k51k4.exe 3268 4k51k4.exe 4476 4k51k4.exe 4192 4k51k4.exe 4488 4k51k4.exe 4812 4k51k4.exe -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command LSASS.EXE -
resource yara_rule behavioral2/memory/1496-0-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/files/0x0007000000023474-8.dat upx behavioral2/files/0x0007000000023478-110.dat upx behavioral2/memory/4752-112-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/files/0x000700000002347c-116.dat upx behavioral2/files/0x000700000002347e-123.dat upx behavioral2/files/0x000700000002347f-128.dat upx behavioral2/files/0x0007000000023480-133.dat upx behavioral2/files/0x0007000000023481-138.dat upx behavioral2/files/0x0007000000023482-143.dat upx behavioral2/memory/1496-148-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/files/0x000700000002347a-150.dat upx behavioral2/memory/4824-185-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2040-217-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4752-220-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2464-222-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/files/0x000700000002347d-229.dat upx behavioral2/memory/2328-247-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/5064-250-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/448-249-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/files/0x000700000002347a-252.dat upx behavioral2/files/0x000700000002347d-262.dat upx behavioral2/memory/3860-286-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/1512-288-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/files/0x000700000002347b-255.dat upx behavioral2/files/0x0007000000023479-251.dat upx behavioral2/memory/5076-242-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/files/0x000700000002347b-235.dat upx behavioral2/files/0x000700000002347a-233.dat upx behavioral2/files/0x0007000000023479-231.dat upx behavioral2/memory/448-300-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4916-301-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3268-303-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3572-305-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4512-310-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4476-309-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2464-205-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2760-331-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4316-341-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/1096-340-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/5068-338-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3792-335-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2928-352-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4192-354-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4488-358-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2928-362-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/1140-361-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4272-356-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3564-392-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3224-403-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4088-407-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4812-412-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4516-410-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/896-429-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/1496-431-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/5044-428-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/8-421-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4552-443-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2892-453-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2816-467-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/2392-472-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/3336-476-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4408-481-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4408-478-0x0000000000400000-0x0000000000423000-memory.dmp upx -
Adds Run key to start application 2 TTPs 40 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" IExplorer.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\desktop.ini 4k51k4.exe File created C:\desktop.ini 4k51k4.exe File opened for modification F:\desktop.ini 4k51k4.exe File created F:\desktop.ini 4k51k4.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: CSRSS.EXE File opened (read-only) \??\I: WINLOGON.EXE File opened (read-only) \??\G: SERVICES.EXE File opened (read-only) \??\B: 4k51k4.exe File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\E: 4k51k4.exe File opened (read-only) \??\N: SERVICES.EXE File opened (read-only) \??\N: LSASS.EXE File opened (read-only) \??\L: SMSS.EXE File opened (read-only) \??\Z: SMSS.EXE File opened (read-only) \??\S: 4k51k4.exe File opened (read-only) \??\Y: 4k51k4.exe File opened (read-only) \??\B: LSASS.EXE File opened (read-only) \??\S: SMSS.EXE File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\T: SERVICES.EXE File opened (read-only) \??\N: 4k51k4.exe File opened (read-only) \??\P: SERVICES.EXE File opened (read-only) \??\V: SERVICES.EXE File opened (read-only) \??\W: LSASS.EXE File opened (read-only) \??\I: SMSS.EXE File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\N: WINLOGON.EXE File opened (read-only) \??\Y: SERVICES.EXE File opened (read-only) \??\N: SMSS.EXE File opened (read-only) \??\U: SMSS.EXE File opened (read-only) \??\T: IExplorer.exe File opened (read-only) \??\O: CSRSS.EXE File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\W: WINLOGON.EXE File opened (read-only) \??\R: SERVICES.EXE File opened (read-only) \??\Z: LSASS.EXE File opened (read-only) \??\T: 4k51k4.exe File opened (read-only) \??\X: 4k51k4.exe File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\K: WINLOGON.EXE File opened (read-only) \??\X: WINLOGON.EXE File opened (read-only) \??\X: LSASS.EXE File opened (read-only) \??\Y: LSASS.EXE File opened (read-only) \??\W: SMSS.EXE File opened (read-only) \??\Q: 4k51k4.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\S: CSRSS.EXE File opened (read-only) \??\Z: WINLOGON.EXE File opened (read-only) \??\M: SERVICES.EXE File opened (read-only) \??\J: 4k51k4.exe File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\W: IExplorer.exe File opened (read-only) \??\O: SERVICES.EXE File opened (read-only) \??\R: LSASS.EXE File opened (read-only) \??\V: 4k51k4.exe File opened (read-only) \??\I: IExplorer.exe File opened (read-only) \??\V: WINLOGON.EXE File opened (read-only) \??\S: SERVICES.EXE File opened (read-only) \??\L: CSRSS.EXE File opened (read-only) \??\G: WINLOGON.EXE File opened (read-only) \??\S: IExplorer.exe File opened (read-only) \??\K: CSRSS.EXE File opened (read-only) \??\Z: CSRSS.EXE File opened (read-only) \??\H: WINLOGON.EXE File opened (read-only) \??\R: WINLOGON.EXE File opened (read-only) \??\I: LSASS.EXE File opened (read-only) \??\I: 4k51k4.exe File opened (read-only) \??\W: 4k51k4.exe -
Drops file in System32 directory 50 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\shell.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe WINLOGON.EXE File created C:\Windows\SysWOW64\IExplorer.exe SMSS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr SERVICES.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr CSRSS.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe LSASS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\shell.exe 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File created C:\Windows\SysWOW64\IExplorer.exe 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File opened for modification C:\Windows\SysWOW64\shell.exe WINLOGON.EXE File created C:\Windows\SysWOW64\IExplorer.exe WINLOGON.EXE File created C:\Windows\SysWOW64\MrHelloween.scr 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\MrHelloween.scr 4k51k4.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr LSASS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\shell.exe CSRSS.EXE File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr SMSS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe SERVICES.EXE File created C:\Windows\SysWOW64\IExplorer.exe LSASS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe SMSS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe LSASS.EXE File created C:\Windows\4k51k4.exe SMSS.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File opened for modification C:\Windows\4k51k4.exe IExplorer.exe File created C:\Windows\4k51k4.exe WINLOGON.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe WINLOGON.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe 4k51k4.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe 4k51k4.exe File created C:\Windows\4k51k4.exe SERVICES.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe SERVICES.EXE File created C:\Windows\4k51k4.exe LSASS.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File created C:\Windows\4k51k4.exe CSRSS.EXE File opened for modification C:\Windows\4k51k4.exe SMSS.EXE File opened for modification C:\Windows\4k51k4.exe CSRSS.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe -
Modifies Control Panel 32 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 4k51k4.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" CSRSS.EXE Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SMSS.EXE Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" SMSS.EXE Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 4k51k4.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe -
Suspicious behavior: GetForegroundWindowSpam 7 IoCs
pid Process 4752 4k51k4.exe 1512 CSRSS.EXE 3860 WINLOGON.EXE 4916 SERVICES.EXE 4512 LSASS.EXE 5064 IExplorer.exe 2760 SMSS.EXE -
Suspicious use of SetWindowsHookEx 57 IoCs
pid Process 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 4752 4k51k4.exe 5064 IExplorer.exe 3860 WINLOGON.EXE 1512 CSRSS.EXE 4916 SERVICES.EXE 4512 LSASS.EXE 2760 SMSS.EXE 4824 4k51k4.exe 2040 IExplorer.exe 2464 4k51k4.exe 5076 WINLOGON.EXE 2328 CSRSS.EXE 448 SERVICES.EXE 3572 IExplorer.exe 4476 4k51k4.exe 3268 4k51k4.exe 3792 LSASS.EXE 5068 IExplorer.exe 1096 IExplorer.exe 4316 WINLOGON.EXE 4272 SMSS.EXE 4192 4k51k4.exe 4488 4k51k4.exe 1140 WINLOGON.EXE 2928 WINLOGON.EXE 796 CSRSS.EXE 3564 IExplorer.exe 3408 CSRSS.EXE 3224 IExplorer.exe 3596 CSRSS.EXE 4812 4k51k4.exe 4516 WINLOGON.EXE 4088 SERVICES.EXE 8 IExplorer.exe 1748 SERVICES.EXE 5044 WINLOGON.EXE 1496 SERVICES.EXE 896 LSASS.EXE 3752 CSRSS.EXE 4552 WINLOGON.EXE 4784 LSASS.EXE 4780 LSASS.EXE 4580 CSRSS.EXE 1080 SMSS.EXE 2892 SERVICES.EXE 3548 SMSS.EXE 3592 SMSS.EXE 2816 CSRSS.EXE 3104 SERVICES.EXE 2392 LSASS.EXE 3336 SERVICES.EXE 4408 LSASS.EXE 1876 LSASS.EXE 4400 SMSS.EXE 960 SMSS.EXE 4296 SMSS.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1496 wrote to memory of 4752 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 82 PID 1496 wrote to memory of 4752 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 82 PID 1496 wrote to memory of 4752 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 82 PID 1496 wrote to memory of 5064 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 83 PID 1496 wrote to memory of 5064 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 83 PID 1496 wrote to memory of 5064 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 83 PID 1496 wrote to memory of 3860 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 85 PID 1496 wrote to memory of 3860 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 85 PID 1496 wrote to memory of 3860 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 85 PID 1496 wrote to memory of 1512 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 86 PID 1496 wrote to memory of 1512 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 86 PID 1496 wrote to memory of 1512 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 86 PID 1496 wrote to memory of 4916 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 87 PID 1496 wrote to memory of 4916 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 87 PID 1496 wrote to memory of 4916 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 87 PID 1496 wrote to memory of 4512 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 89 PID 1496 wrote to memory of 4512 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 89 PID 1496 wrote to memory of 4512 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 89 PID 1496 wrote to memory of 2760 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 90 PID 1496 wrote to memory of 2760 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 90 PID 1496 wrote to memory of 2760 1496 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 90 PID 4752 wrote to memory of 4824 4752 4k51k4.exe 92 PID 4752 wrote to memory of 4824 4752 4k51k4.exe 92 PID 4752 wrote to memory of 4824 4752 4k51k4.exe 92 PID 4752 wrote to memory of 2040 4752 4k51k4.exe 93 PID 4752 wrote to memory of 2040 4752 4k51k4.exe 93 PID 4752 wrote to memory of 2040 4752 4k51k4.exe 93 PID 5064 wrote to memory of 2464 5064 IExplorer.exe 94 PID 5064 wrote to memory of 2464 5064 IExplorer.exe 94 PID 5064 wrote to memory of 2464 5064 IExplorer.exe 94 PID 4752 wrote to memory of 5076 4752 4k51k4.exe 95 PID 4752 wrote to memory of 5076 4752 4k51k4.exe 95 PID 4752 wrote to memory of 5076 4752 4k51k4.exe 95 PID 5064 wrote to memory of 3572 5064 IExplorer.exe 96 PID 5064 wrote to memory of 3572 5064 IExplorer.exe 96 PID 5064 wrote to memory of 3572 5064 IExplorer.exe 96 PID 4752 wrote to memory of 2328 4752 4k51k4.exe 97 PID 4752 wrote to memory of 2328 4752 4k51k4.exe 97 PID 4752 wrote to memory of 2328 4752 4k51k4.exe 97 PID 4752 wrote to memory of 448 4752 4k51k4.exe 98 PID 4752 wrote to memory of 448 4752 4k51k4.exe 98 PID 4752 wrote to memory of 448 4752 4k51k4.exe 98 PID 3860 wrote to memory of 3268 3860 WINLOGON.EXE 99 PID 3860 wrote to memory of 3268 3860 WINLOGON.EXE 99 PID 3860 wrote to memory of 3268 3860 WINLOGON.EXE 99 PID 1512 wrote to memory of 4476 1512 CSRSS.EXE 100 PID 1512 wrote to memory of 4476 1512 CSRSS.EXE 100 PID 1512 wrote to memory of 4476 1512 CSRSS.EXE 100 PID 3860 wrote to memory of 5068 3860 WINLOGON.EXE 102 PID 3860 wrote to memory of 5068 3860 WINLOGON.EXE 102 PID 3860 wrote to memory of 5068 3860 WINLOGON.EXE 102 PID 4752 wrote to memory of 3792 4752 4k51k4.exe 101 PID 4752 wrote to memory of 3792 4752 4k51k4.exe 101 PID 4752 wrote to memory of 3792 4752 4k51k4.exe 101 PID 1512 wrote to memory of 1096 1512 CSRSS.EXE 103 PID 1512 wrote to memory of 1096 1512 CSRSS.EXE 103 PID 1512 wrote to memory of 1096 1512 CSRSS.EXE 103 PID 5064 wrote to memory of 4316 5064 IExplorer.exe 104 PID 5064 wrote to memory of 4316 5064 IExplorer.exe 104 PID 5064 wrote to memory of 4316 5064 IExplorer.exe 104 PID 4752 wrote to memory of 4272 4752 4k51k4.exe 105 PID 4752 wrote to memory of 4272 4752 4k51k4.exe 105 PID 4752 wrote to memory of 4272 4752 4k51k4.exe 105 PID 4512 wrote to memory of 4192 4512 LSASS.EXE 106 -
System policy modification 1 TTPs 40 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SERVICES.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe"C:\Users\Admin\AppData\Local\Temp\3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1496 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4752 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4824
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2040
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5076
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2328
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:448
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3792
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4272
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5064 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2464
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3572
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4316
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:796
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4088
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:896
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1080
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3860 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3268
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5068
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2928
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3408
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1748
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4780
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3548
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1512 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4476
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1096
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1140
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3596
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1496
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4784
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3592
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4916 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4488
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3224
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5044
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4580
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3104
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4408
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4400
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4512 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4192
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3564
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4516
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3752
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2892
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2392
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:960
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2760 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4812
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:8
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4552
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2816
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3336
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1876
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4296
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD57b0a241fd3c0ab64ea082ba092e72fcc
SHA1f4463f48e80d4fa2ec6462975ae44773e244160a
SHA256582ff4a3ac5719c51648b74af335358527a566c1ead2b68efce3e924bf43cf60
SHA512e8fae0b089f7ec436391ef13c6954d51f3adfe8c427a6a624728fe6d662310dc6455737362d940b3b470c18e2f9592f219e06f942a2e1463b7031d53d04514f9
-
Filesize
45KB
MD51773ff8f61a0c13e6606b3f74bcffa99
SHA191860e9140d5b48378297c2aa0c07ff64f716156
SHA25691d08b3374d704c5957608f89687a4142c7decad18285f086f2965a03f256a18
SHA51250b1e08b9a6aa9da0e2f80f68275f93cbb7322e80f883dd9c9f4015d99f801e023776c471322b459dfc5806b1101c69d72b6b6d1b506d5f7459d67f2615cadd7
-
Filesize
442B
MD5001424d7974b9a3995af292f6fcfe171
SHA1f8201d49d594d712c8450679c856c2e8307d2337
SHA256660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d
SHA51266ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657
-
Filesize
45KB
MD5e1b24eb0587f150811db2c9cbdf1a0cc
SHA1295daaa0bdc88956d83aa7d2ef31e8a1d6016af5
SHA25674bf43d4ca1f1d613db1a616ccea421f533298e2722aef8f634049e003437c80
SHA51220816f2fff941e3fdb61cdddac70a5ef91f361ad35720d289977677ff2b54effedde65b5bbc4012426559e147e154367a028e8525ff34b890b11a84ceb788811
-
Filesize
45KB
MD5adfd95fb727d46605e79dd784ab22e22
SHA1fd54eb4f4ec2ee61572f2f9d1641d5f1d65ddb51
SHA256a60bf3167a0f90db6b83effefad244e6e2cac39b342bea4021fb355fdabe3dad
SHA512a5b77eb43bab5039314b6c1221bf4bb448ea513840668a2963b012f1d5150e21822f1e6eebe01059c6b86e5cf55df48964920f2a1d546baea3be286481cbc87e
-
Filesize
45KB
MD5d4ef9b46a0b7d8069b4e194b2e33e384
SHA14829ba106f50dee23c79912637ee68cb3b5a51b7
SHA25652bcf0c75691c789b2c9e46344e7ae482c16ed6347797ea09540dacd1c3bff6c
SHA512e0f7ade14073ec304c28cf4e9f53d314c946a1b306553d0f6e85980e415db8c9bd72b4a56bfbda72efc6e51ae108b7c9b0bcc07fd7b2fd040202db636c3c3b30
-
Filesize
45KB
MD55a84061c5423af7d0f02106204b964fd
SHA11d6a1b4a4dd4667dd38a7dbac9fe98677d82d7fb
SHA256ec7cf79040fe907d536cbe21b1cf40b6267b38927d6550c3d04ce23408ce4668
SHA512aceec7d201171a5d109e36c47080d290e3cc462d55564758be3ca95e7b55ddaded5ccd65b79cb9030807362835346b1342e6393a3278901b5a9c203de591a062
-
Filesize
45KB
MD574d1414a96441104069cb32dfbffcfef
SHA1dc75f19f59b39635a24195e8c3610d74278b1d0b
SHA25684253e3464b3fb7387ada610ad9413ad2cfebc6253967812a3d51c3dac9595d8
SHA5121965f7005ebc80fd758fa14e1f5fc8f17a697b4f3ea4134b778aab952864bbe463976c2182e4214e81b3da120ed90e2706ab114259e356fb0265d91eb0694f3a
-
Filesize
45KB
MD56eb19ae66d972318036d3db18d5d472a
SHA1be8a4422b0e24543c2dcf77d573b68ff411e10cf
SHA2563a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2
SHA512ebd9118fda8361dac4989a9da473122b60b9d0a85b3effc0893b65e2080dfe66fc673afd2c1937921eaa663723cfccb184ee4adc5b77b36cfcb2f611b21d988f
-
Filesize
45KB
MD53708021fea995623ce0efa0754c0c85e
SHA10cd27871def42e4f06756a344c8783efca1ad8ef
SHA2568d3cad1350980af802bc4ac7bc6e8ba1f2328da1b73e990e5751ec3e7b2dbea9
SHA5129a0ee2658a666b1b31eac21aa628db73f69f0b62b2c81f47bf370161a20148c3e53c5ec2cdc205bdb83c8f77ec86cb1ebb034bfc38a94ed3820ddddce13332db
-
Filesize
45KB
MD5ac208ecc73d2061277dd1d6ca5f8b6de
SHA129f61a08123b88ac5b4b98f2433529e2c275baf4
SHA2563fb380f1034aeb2cf7eae0ae4eee1b12fae7c3539247a2673ea7906a202e9fbf
SHA51205ec052aab749548a47b23c6114e51c9a955ab59fcbd5dcf681770370bd8fe2284b39e3f4e07da912ea0cfa80e692e14e492254d0ba1f451b1e216430b0c39be
-
Filesize
45KB
MD5f4c3326df270412d62666cefa047ba89
SHA1d3dbfd03806b9c4fb704e51d581caa0fb11e59dd
SHA25608af9dd4732473d4e40786902beb7f251b0d5bde2838b983be3f4fab8f7db814
SHA51271d85911d632939dec8878ff099e0677c8422a339614dd287eafe5cd8f537fb3edff741bc6b7b1a923b73682a0920cfb30a73c4faf33fb9967ca5372b8461834
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
45KB
MD5102394253ba7c90b1e17b098b0655a1a
SHA12ca28a05df234ba6c867d1849060e8439795f38e
SHA2566a1c95905366cc70bf9b65d9c677e966a7b9f5930103bf5aea6a01cfd8d38440
SHA51212cc4748587eb5d21040feb5455bd814ce7869a5f549d103c70b757fe608369af721e5d4372140f3b221b1fbe440f3ed281a3c3b310695463dd90caeb59cde38
-
Filesize
45KB
MD58e30ef6970c2370756aa73a0a695ed82
SHA18d016e2df638b8f9afa7285ae47f8a0448e951ca
SHA2566e8411d3bae3aeaf692d8583e2c8fca951d1087f3e30950b8565d2b05bbceb81
SHA512d3375c9429dc8a9a24334f0c014b8851a8fe87325bf009a8ac4bffe150c23377169cf549831b9648acce1116b38f2e81437438b8b60515322912a8ef67b88aa2
-
Filesize
45KB
MD5d2bf1dac64f0f51ae6169c732e9330f2
SHA135617a33410fd174c59c650f334650af8f704490
SHA256fd371d37a75e9636b9f666e402d43eae0f84eceef239fbee0044a107077e740f
SHA5129b9e29dca368edddcecce763f98899a301d0c4c6a0c40b9342b2d5b7c98517e05903660d9ec7de18f20332ff487d34d780055f06ff24d07f20b52b052b9fa57a
-
Filesize
45KB
MD57a207f22604049c22e6f2be4600f3cf4
SHA1b54597ff544e41620cc68d7dfde1af42149cf23d
SHA25668481e3eb544c440e41f54b6bceaef399d7e507d4c6c7723b9ef46e7e7fa3edd
SHA5120b3831d71a161b5c8931d5d5757c7a4983e1905c0f1f98eaf4f541b25ebc3914f98e2cdcd5efc6a0218dab8757ec75d351d2223f4b0d2a0a356c000e0a805d70
-
Filesize
45KB
MD5491f9c7600b5f4a19231199fbc474d83
SHA198c093ca643ab09ed3f313443ffa7ff12e6c1d99
SHA25667335e24e79793244c8517cee326ff108965217d7558a86bc52526c88fc894da
SHA512de35b3801a9fcf8254cec9cd04728a59daf3d24dad520c7d7ea421edc258e8b5096853b801ed075d6e1e6c62ea95fab779c994af0b75aa2e86638f8d24e4f288
-
Filesize
45KB
MD51c2155cb0b34348fca7d207078831432
SHA1047c1f1874445e6713d1edbc7da19a95a553ae92
SHA2561c80afd0ccabb197daa3d797adde6eeb48f5906033e7160f008308c2025f56c3
SHA512589eb1c53d7a51c1f7f2481cd2ae92798a4971d73567b9d5b4c4df170396298cf0487089e6af50aedfbecc6215efef6b6c393f8f2782217206550d1a55d063ee