Malware Analysis Report

2025-01-06 10:33

Sample ID 240601-d9nthahc89
Target d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3
SHA256 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3

Threat Level: Known bad

The file d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visibility of file extensions in Explorer

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Detects executables built or packed with MPress PE compressor

Detects executables built or packed with MPress PE compressor

Disables RegEdit via registry modification

Disables use of System Restore points

Loads dropped DLL

Modifies system executable filetype association

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

System policy modification

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 03:42

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 03:42

Reported

2024-06-01 03:45

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1644 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Windows\xk.exe
PID 1644 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Windows\xk.exe
PID 1644 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Windows\xk.exe
PID 1644 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Windows\xk.exe
PID 1644 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1644 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1644 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1644 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1644 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1644 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1644 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1644 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1644 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1644 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1644 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1644 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1644 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1644 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1644 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1644 wrote to memory of 108 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1644 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1644 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1644 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1644 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1644 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1644 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1644 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1644 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe

"C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/1644-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\services.exe

MD5 3209d84fe824dc59308dccab0c1d4b8b
SHA1 edd0bef48665580a2a0b191fc9698251942ffd7b
SHA256 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3
SHA512 6d8247ee6ea118cbf9da3d1a6cb801220fbc2104a8bdfd882f738aa469835ae9539a68be7d7144aa8bb2be172683558c62424de0af635fef911898fe01dfc196

C:\Windows\xk.exe

MD5 5d7eb078c58a359c13ce1329b3f2aba2
SHA1 cc44a8a62746ab51845638f22e94fec8a48ba1f3
SHA256 a4000ab61427f703291dddf1f5dfecf62ec60b4f7810f158f2770a3c2a0341fb
SHA512 5a67d3be08bd9a48f81b8c6372b3484ba80bd36ee2c938d4d31fce1682274fda496e7f87c6a71373c80cea6de1c2b92f249fe9918eea13c93c36cf8f329925fe

memory/1644-111-0x00000000031E0000-0x000000000320E000-memory.dmp

memory/2736-112-0x0000000000400000-0x000000000042E000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 07649a598e6174feae2e9eb8460f3c48
SHA1 26fbeef5047ca1bf4d94e1bef0f7ec08f253b27e
SHA256 a928d09d25486b619e416f201089e4091e88741bf10fba60e4e7990236cdc90a
SHA512 66c5fd6bcbbf8ea95c68fb3bd964524ee52b928362607b35fc630fdd8c638a890a68a3d60a6327afcf51dfdebf0edfee6e1872bf2ce05b185b4586db9a79257c

memory/2736-115-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2748-123-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1644-122-0x00000000031E0000-0x000000000320E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 4bb16a0ad0b452c6b178960f3eb0906c
SHA1 ab4a7a520cfc1d6a07f059786fa15709c151790a
SHA256 6441a3c9fe91ba1257eab6fa0328023155b153bb3d587b1023a67079ca12a519
SHA512 f70650c3e3b87f64fd3e17481f7e6dcb6352cf679bbdc2001bd5d28831081a940559d7c9d28c21bb9a64df683339f8d22bc9bdf8c9375a18dbf397eec6674968

memory/2748-133-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2448-139-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1644-138-0x00000000031E0000-0x000000000320E000-memory.dmp

memory/1644-137-0x00000000031E0000-0x000000000320E000-memory.dmp

memory/2448-140-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 34b3c2156fa2c53f6ed928883a484810
SHA1 1ad23ed469d893dfe6ecd913cc4818a68833cf80
SHA256 11e5489f0f864d33c3d769ee0e372b67659ccf2bc571b3f0777a6a8904df2be8
SHA512 8fd8f0bb2871f28c512fea8b3c1319911b7057ee55bc57252f6d53bb98254f4287150027d2a576c850c3d48ed41e247a233beb5bc085be0d7d6283297435ee42

memory/1864-151-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 5aad6c8455194a793f855b9daf81582c
SHA1 93c71b5adfc9c9aec99304f0523870a106382faa
SHA256 3049c5fe4c79b2d52e65af8c440d68a44b6896e30d7facac04d6ea2d393732ea
SHA512 403ee3560e56c54360b3cf4cf3ca401d1360b8d06ef165b59325c2aa6cc099fb08bed18f41f3107f0868aa2796362b88c84e30c9f88328134167cbaaa78ff743

memory/1644-160-0x00000000031E0000-0x000000000320E000-memory.dmp

memory/108-162-0x0000000000400000-0x000000000042E000-memory.dmp

memory/108-164-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 7f7708c65eca10624d42deafa2884147
SHA1 6c2494b2812993ff4bd824947aba77f4965f94fc
SHA256 8b4451274efc4cf28ea4ce434b7ec745e5cac4a7d0e8410e91417b84c02fd64a
SHA512 2ce8d991a0b144a8cd96f8f6de74916250bab42aa0829f05630926c0106be036cd4dc9b729540d45a05ac80690cfb958323d557997b5018543b070efa2583f35

memory/2696-174-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 228b006b3967354ea94afce222ccd2f0
SHA1 f453b261577a4f730b621f7a32cd9b0f6b36f5bd
SHA256 f4fbe5b9a52a6d9e27c102802a2134a08d0340ac8b7b94ec5f716234bbad55de
SHA512 d76dd8b70ece96a9f922fd45a44ae5dd31bc4e3cca057d937fb91dd848b3c3f4a6004b4bd033c488104f192dc67e67358601e7e497114ab49af4d455b0e629d3

memory/1644-182-0x00000000031E0000-0x000000000320E000-memory.dmp

memory/1644-181-0x0000000000400000-0x000000000042E000-memory.dmp

memory/628-188-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1644-189-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2448-190-0x0000000000400000-0x000000000042E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 03:42

Reported

2024-06-01 03:45

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Windows\xk.exe
PID 4996 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Windows\xk.exe
PID 4996 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Windows\xk.exe
PID 4996 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4996 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4996 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4996 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4996 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4996 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4996 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4996 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4996 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4996 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4996 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4996 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4996 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4996 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4996 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4996 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 4996 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 4996 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe

"C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

memory/4996-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 3209d84fe824dc59308dccab0c1d4b8b
SHA1 edd0bef48665580a2a0b191fc9698251942ffd7b
SHA256 d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3
SHA512 6d8247ee6ea118cbf9da3d1a6cb801220fbc2104a8bdfd882f738aa469835ae9539a68be7d7144aa8bb2be172683558c62424de0af635fef911898fe01dfc196

C:\Windows\xk.exe

MD5 09d9658628c7f0738f072a53d38c886c
SHA1 6a0debf5c04d2d0b68c1d9297b6b4c432ebe7a59
SHA256 fea1416b8aecd97c4401a17a5529d9351197e3847390efb837b74f2ce76fdf0d
SHA512 3f81bec3c9787b03eb66ea8a718eb51f2d02ed55587a20d14688d4cf7a2e4cf5823da3fdfa247c60ef654d463a0146584d331cf5fc94bfeabd3f32720780a08c

memory/1864-108-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1864-112-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 657ae0b046b6d26d86cd1b95c195f1b4
SHA1 60442987f20eac765d6d652e914405e674657052
SHA256 654d0ea5e56618763ff3a1826fb0ae02197fc74ec94844f2698f4dee566ad8c2
SHA512 dccc4ae101f2aeb1211dc3738a27230f35eb3df17fdb28aae4076f99536faddda27a7d388f506b5f81138b69d043edf8536b39723e3a1d95b9e81ef86e5a0093

memory/1152-116-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1152-120-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 a0765d117a1f75da8f78727e8a4fe0c3
SHA1 71739fcf50c6dab3ac49f13c68c6834f83a7d883
SHA256 9ff6a08b5db95a888c80185ae6fcce07f195c274e9fabdba7b8724f4e0107ccf
SHA512 a934e0619a5232100e30646f35dbc8aea537b7724800bd7fb172bc6891b3b5b0e085b2f43a508366a003d974634ce17ea48c92dd8f180125060e309078346160

memory/3344-127-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 a99cf2380760f64395d8d50af3eb74ac
SHA1 caf868cf0ea989f60ac3f9ff43e903ca1f1b573a
SHA256 5068500d6f4c21a763661bb6b261724ff4b4734f317b83ae26d8a06994421d18
SHA512 fa788b73c31ab1497cef34c95f89eb467061f98b332bc362682505bccaad0e11ba79741ffe1c0c6d82e862a7dd7b54b412f38cbfa9eed1de0e721203c964b3bf

memory/3980-133-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

MD5 ae2443e2601cdf19ad28b48894db6e60
SHA1 a20fff013ae34596adcbca6c3f302f9465c1640a
SHA256 478aa9b9afe28d67b2eafabd97a8fa5a3ade67177994223fe6b05080052bb389
SHA512 ac7b75c5352301ec1eaa1aa4f3599202f6850f0e502a0206d67ecdfbbd72e9b6c9ab216e75e757493264bf1d409e1006b285ac2e0b5e05e03049ea3bf1d1b3b0

memory/2732-140-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 d0266de7aa7a59ad5fac537a03fb0b2d
SHA1 19ace44788b1c539a35a1ca67a7e84c6e7619f0e
SHA256 0846103d1871c680f6991e3ceae81722e9a8118f3e9c928c4b5c82c69e17993d
SHA512 a4adead5a5f8de14d1af21811760a46693538885ffec2fd79088d32b58dad8b136c48db22fc7f84d8852c1df8c390d25fd5b0a605e5e0f3e3b1e2086394b027b

memory/4152-146-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 4585aa8e1b975a3484619aa381356e55
SHA1 6cd68da54126a3fcaaeec9413dc0a2f6a78d9300
SHA256 eff415841b1c455df8841668c394c3dc6df9c5accc6747eeedde62c805596b5d
SHA512 52b20bef44c85e71d0804d87340ef40e12963f459904918ea3979b1410cf69fc2709d8540c7a88c5ac93628bc56f726dec01dfac55a820e1de411e842781ee09

memory/804-153-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4996-155-0x0000000000400000-0x000000000042E000-memory.dmp