69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
30-05-2024 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Size

63KB
MD5

cf09b93381cb9f47f7e7591818cccb12
SHA1

dfae8cda8dd925c3ef07a8c10e68ec700d55ddde
SHA256

69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd
SHA512

18657439715fd161183e41f701dc52ca223dee25b807fd14dfddb5f489e80db39d7d59a98417aee5b8b59bcd42b42d6050392cb212e2e48a4f3bc224f7540f51
SSDEEP

768:jSxam3Usjr3REXXr8yxFChMp7v9DLKrzCnbcuyD7UVeQI5noScAvcV4RP0U+t6:jRsjdEIUFC2p79OCnouy8VDNAG4RsfU

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe

UPX dump on OEP (original entry point) 23 IoCs

resource	yara_rule
behavioral1/memory/1992-0-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x00080000000167e8-8.dat	UPX
behavioral1/files/0x0007000000016c5b-108.dat	UPX
behavioral1/memory/2540-111-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/2540-116-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x0006000000016fa9-114.dat	UPX
behavioral1/memory/1596-123-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/1596-126-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x00060000000171ad-127.dat	UPX
behavioral1/memory/2904-136-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/2904-138-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x000600000001738e-139.dat	UPX
behavioral1/memory/3000-148-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x000600000001738f-149.dat	UPX
behavioral1/memory/352-158-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/352-160-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x00060000000173e2-161.dat	UPX
behavioral1/memory/1992-167-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/files/0x00060000000173e5-172.dat	UPX
behavioral1/memory/1656-174-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/2848-180-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/2848-184-0x0000000000400000-0x000000000042F000-memory.dmp	UPX
behavioral1/memory/1992-186-0x0000000000400000-0x000000000042F000-memory.dmp	UPX

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2540	xk.exe
1596	IExplorer.exe
2904	WINLOGON.EXE
3000	CSRSS.EXE
352	SERVICES.EXE
1656	LSASS.EXE
2848	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1992-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00080000000167e8-8.dat	upx
behavioral1/files/0x0007000000016c5b-108.dat	upx
behavioral1/memory/2540-111-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2540-116-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016fa9-114.dat	upx
behavioral1/memory/1596-123-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1596-126-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00060000000171ad-127.dat	upx
behavioral1/memory/2904-136-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2904-138-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000600000001738e-139.dat	upx
behavioral1/memory/3000-148-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000600000001738f-149.dat	upx
behavioral1/memory/352-158-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/352-160-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00060000000173e2-161.dat	upx
behavioral1/memory/1992-167-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00060000000173e5-172.dat	upx
behavioral1/memory/1656-174-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2848-180-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2848-184-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1992-186-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
File created	C:\Windows\SysWOW64\shell.exe	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
File created	C:\Windows\SysWOW64\Mig2.scr	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
File created	C:\Windows\xk.exe	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
2540	xk.exe
1596	IExplorer.exe
2904	WINLOGON.EXE
3000	CSRSS.EXE
352	SERVICES.EXE
1656	LSASS.EXE
2848	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2540	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	28
PID 1992 wrote to memory of 2540	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	28
PID 1992 wrote to memory of 2540	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	28
PID 1992 wrote to memory of 2540	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	28
PID 1992 wrote to memory of 1596	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	29
PID 1992 wrote to memory of 1596	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	29
PID 1992 wrote to memory of 1596	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	29
PID 1992 wrote to memory of 1596	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	29
PID 1992 wrote to memory of 2904	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	30
PID 1992 wrote to memory of 2904	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	30
PID 1992 wrote to memory of 2904	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	30
PID 1992 wrote to memory of 2904	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	30
PID 1992 wrote to memory of 3000	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	31
PID 1992 wrote to memory of 3000	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	31
PID 1992 wrote to memory of 3000	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	31
PID 1992 wrote to memory of 3000	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	31
PID 1992 wrote to memory of 352	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	32
PID 1992 wrote to memory of 352	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	32
PID 1992 wrote to memory of 352	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	32
PID 1992 wrote to memory of 352	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	32
PID 1992 wrote to memory of 1656	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	33
PID 1992 wrote to memory of 1656	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	33
PID 1992 wrote to memory of 1656	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	33
PID 1992 wrote to memory of 1656	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	33
PID 1992 wrote to memory of 2848	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	34
PID 1992 wrote to memory of 2848	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	34
PID 1992 wrote to memory of 2848	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	34
PID 1992 wrote to memory of 2848	1992	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe

C:\Users\Admin\AppData\Local\Temp\69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe
"C:\Users\Admin\AppData\Local\Temp\69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1992
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2540
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1596
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2904
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3000
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:352
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1656
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\services.exe

Filesize
63KB

MD5
cf09b93381cb9f47f7e7591818cccb12

SHA1
dfae8cda8dd925c3ef07a8c10e68ec700d55ddde

SHA256
69e06fc6c68a774fcdb6f058e76486712f29e8ea5636f5da58142b4124203ffd

SHA512
18657439715fd161183e41f701dc52ca223dee25b807fd14dfddb5f489e80db39d7d59a98417aee5b8b59bcd42b42d6050392cb212e2e48a4f3bc224f7540f51

Download Submit
C:\Windows\xk.exe

Filesize
63KB

MD5
8733ba6cb8cfbbe893c94a49956798e8

SHA1
03fad46e532da4ecfa01dc01dc02a9bb06ed80fd

SHA256
821338e3f2699dedc3a7bb05f5742b9188fb96a0897d0a35df39ba34c4bcf59b

SHA512
3751b2e46a6ec1a57a6ef0a9e0aa9200a2b524cd9e72f316bd8a48ac83d304f6655eb899665737e9493a89db9b916a3820abfe5ca557af61a280dfa841b668bd

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
63KB

MD5
7fcc98399ab235340a653098fa2f2d85

SHA1
b6f81d6822447ee09200ffa8c97747f55defd15e

SHA256
06b44c4b9490f15ea68657c1dd0a8944bfdc7e1c8251733db841bb02d4049d8b

SHA512
6e233148cc2a9ef8e1f029a48fff95411c814a480b566af49d1007f4b74b6bd2207927d6da0ef70da183ed9e382212b386683fdf02027e274848d01621bf74db

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
63KB

MD5
d3bb60012d41ce2f68ae4f053e293cc4

SHA1
002de2d9f213fd204749f800fb219071cd82f7d2

SHA256
739ceddf40c5240ae7913329c0641857dad016f387663ea0e81592f4d6ab4e83

SHA512
2287c861f0cf1a4ec3654b173e90164b6739fcc3d37d8a103e6d0ca88a8d6a6742e4400be71d3898b738f35ab2b8ae0f4f2cb9d93858c92079c84daf1730d18d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
63KB

MD5
4811d89a16be0d1aed66ec72abaa2130

SHA1
f51c62a571fba93b5ac572df05e520ccd31f05a4

SHA256
ce90e57632270f0cbfbc1f56aee3380d662badeaeb3b4cea8509f8d404c0fd9a

SHA512
02b1b5f84a7447896193a2aa11336038b8682426f71116249764da5403891f40fd3fe912900b74e753f6032e0ec86caab2ccf1a8f82aedb7f328c28adfbd0a7f

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
63KB

MD5
3907b6012b48555843d903af280a20c4

SHA1
3d904cadf745791d6e1b948baa1ce30b2a3f19fb

SHA256
b4e9bf40c3f4a054524391ad7c0dbebad1210dda89290ab66a26e156e1cb09dc

SHA512
595cde0408e9b6d24eaaf5b8f42230a6066ebd30737ade4ef78a2c642317599e73b6eaab1aa4d3f9396acd70e6f8c63a42146f7e8d55727362d6380e4d30c175

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
63KB

MD5
9960a30484cbb57ef3e4e0e5c043bae4

SHA1
f26c4fd5e07c972c7a955bc07412afe66e21cfb6

SHA256
42cf007031f7103ca98aab43b42a6032a99469bb6e4a242723153d7cedcc547a

SHA512
a23e334eda8a8eca94474c59d6513a2d4dfd58486dde7db1393feeaf70348fe098e5fbe08ff5dab0dc1644a793ab79a88b3be45d1d65f71a573366771727f1ff

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
63KB

MD5
4210ce8d0ddae2c9f7ae40e3fd61d972

SHA1
ea477967e8137c305ebd9aa2c106a24465a211da

SHA256
44734d0db2ac8cc8eba1bbfb52d5afd7967e107e369f8f6bc4ec5ee47ea94691

SHA512
b420a191c43f88dada92b36d4bff5a88595f9282a9773fcc273a0edff26928259df15443824619d6db772a3cb54739fdc4a218a632ef04bcb0fef233863b1cad

Download Submit
memory/352-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/352-158-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1656-174-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-110-0x0000000002640000-0x000000000266F000-memory.dmp

Filesize
188KB

Download
memory/1992-109-0x0000000002640000-0x000000000266F000-memory.dmp

Filesize
188KB

Download
memory/2540-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2540-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3000-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download