Malware Analysis Report

2025-01-06 10:34

Sample ID 240601-ek2jqshg86
Target da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1
SHA256 da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1
Tags
upx evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1

Threat Level: Known bad

The file da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1 was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence

Modifies visibility of file extensions in Explorer

UPX dump on OEP (original entry point)

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

UPX dump on OEP (original entry point)

Disables use of System Restore points

Disables RegEdit via registry modification

Loads dropped DLL

Executes dropped EXE

Modifies system executable filetype association

UPX packed file

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 04:00

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 04:00

Reported

2024-06-01 04:03

Platform

win7-20240508-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Windows\xk.exe
PID 2296 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Windows\xk.exe
PID 2296 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Windows\xk.exe
PID 2296 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Windows\xk.exe
PID 2296 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2296 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2296 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2296 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2296 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2296 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2296 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2296 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2296 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2296 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2296 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2296 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2296 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2296 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2296 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2296 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2296 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2296 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2296 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2296 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2296 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2296 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2296 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2296 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe

"C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/2296-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\services.exe

MD5 08eca8d511f841708bda81cc3d9c1d8e
SHA1 d02e9bdd5f24617b7c661f58da29871201b9c794
SHA256 da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1
SHA512 df551185ccfe29e286520fe661c255bff27ad2b7fefb0c566b5d2c23220b3ba5720db157dd80a05aa65cfa19349cfc5a277aa2f0ad8ffce4e6699ccb888a6182

C:\Windows\xk.exe

MD5 a6ec707e10234aac22e9d0adff2bc5b4
SHA1 73ec514f5fb29e893995fed425a56cdcdb2f9e8d
SHA256 a5a7eb4f1aa2b38a335264986e51b68246c18f21cd1edc23eb7d5efbb8e67cfa
SHA512 bfc466e2becc05173a5fd46c29a0d33572a2f99ee983c0de7873fa3a1311f87e4f77aa9ad1f38e92fb26b7453da2480e055a2f00282b9e3b714d8c9e0656cce7

memory/1224-115-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1224-113-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2296-112-0x0000000001D50000-0x0000000001D7F000-memory.dmp

memory/2296-111-0x0000000001D50000-0x0000000001D7F000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 3788c0d990c32dbd4c90bcd5b3bf3d6f
SHA1 f530d404919daf03e600bc0719e0a269d4481384
SHA256 8ffe8bfab1ae0f760fd7c9884138a1285365bb5a959ad2e6c482a7f36bb5a1ef
SHA512 2697e3f40cf3e5cfbc8d22f671779fd7055c5fd57ef1109d6b54a5d194d84a8ec9c743a1d78d8e8c8986e3c3bd483001825f89401735309295273752ba4b1344

memory/2760-127-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 d45ff9133ef40756d81c745d64b696c5
SHA1 31d56c208903e49b55f56c1e6dc705175b81c166
SHA256 0395b22c135b102005e371094da9137c2ae24fde9c9e5afd05a12f66c500c66a
SHA512 c9595802e1aea58c9e6def454e8051260d636147ca7d737c783a6c1286cdeafaad9b2e5e16234967b2c78db6bdb1dd80ff3566c96b2e232f314c37eb69ad4c57

memory/2296-134-0x0000000001D50000-0x0000000001D7F000-memory.dmp

memory/2296-133-0x0000000001D50000-0x0000000001D7F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 9eeb06765d71e5fa1b91b4a09266857d
SHA1 c71108b4b5e0bf66e4d15db54cd15650f04cb527
SHA256 a86c9e561fb43463a64936d897ac13310b60081ace30798a52dccaf033fcc9aa
SHA512 132808c5ab99a02125b48f7927563cbe94ad90f7b67c87cd9781bd1901d1ccb0063f28655b0f5577e7c66f6ac0a86bb68f8008a14d50e0d8f9455d8ed6b12919

memory/2772-140-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 46c0257d5478d16bae9ef94ca330f3f8
SHA1 881ce0bc5b063582848e624d9d6b9b4f13fe39b2
SHA256 2ff5d800c5ef63b3e4d8cb5f4ace54ef5e9710d42525e56c953921f7da4dc313
SHA512 0fd9017d95d9ca239c2e8d2092b6e9c051855bd80897e33e1cc98b2069fc7878e02c479ddc5783c1cf6630132db4987e14d382c1f7396ff84e89cdb3807320eb

memory/1020-151-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1548-161-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1548-159-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2296-164-0x0000000001D50000-0x0000000001D7F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 2fb55003b024e19582b71453bab08167
SHA1 d4fe35c302c31aea8af2215acc9787f682be8791
SHA256 cc62de6243b465e250de00db006b5048dd24e379c17c5d27de9a5d73dfee1389
SHA512 a75455291293f1795e1be499edf0a878d83a943768f64ccefdc92908567a351af6becfe268d7147a44d6273bd8ca789556fa28ef0424e63a8a5118efcefae808

memory/2296-170-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 8036a71cbdd84f6e150220afaa168c78
SHA1 6f187420d427de99c5fb1f08d67f8acb8366d71f
SHA256 bbafefcb9945a98bc102347fedeb7feaee8c645646871a92d59b18091dca242b
SHA512 d2cd0f01b5af9f9b59283ba2467964ca24eb458ccdf6f3228b1f33e73487d96f4742ea34ccbd40e90c4f6745639cebfd7e68cb136cbb6ea1378cd5924d417395

memory/2388-175-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2020-182-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2020-187-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2296-188-0x0000000000400000-0x000000000042F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 04:00

Reported

2024-06-01 04:03

Platform

win10v2004-20240508-en

Max time kernel

130s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Windows\xk.exe
PID 2728 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Windows\xk.exe
PID 2728 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Windows\xk.exe
PID 2728 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2728 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2728 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2728 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2728 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2728 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2728 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2728 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2728 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2728 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2728 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2728 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2728 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2728 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2728 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2728 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2728 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2728 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe

"C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2728-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 08eca8d511f841708bda81cc3d9c1d8e
SHA1 d02e9bdd5f24617b7c661f58da29871201b9c794
SHA256 da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1
SHA512 df551185ccfe29e286520fe661c255bff27ad2b7fefb0c566b5d2c23220b3ba5720db157dd80a05aa65cfa19349cfc5a277aa2f0ad8ffce4e6699ccb888a6182

C:\Windows\xk.exe

MD5 6e1552548c4c929fd5090aafdb0bf0d9
SHA1 b88e0eff4fa0707a8337e48aa9b8a80ba7ea4242
SHA256 2d0cead97a30a42a09008b66a8e04bda720205924b83c8f3f73bd3ad33cbe64b
SHA512 b11766e549b336db7233603e60c5a1691478f6f61f7ded4bafbb3cc65f76106c39a62fb4cea25bef273a6f5e6387af1b66323125b4add1333b54110fa1f0eaa3

memory/3332-111-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 2fb493a5e4005cff8e879e387c5c4458
SHA1 e277b055328741377a2a16d1a63e333d8dcddc8e
SHA256 d8919df377acaa5d821c993ac2a2ce55ec47d1e3d728f70bbd1d14a25c1c9df9
SHA512 1f1c87054d1c5b087da3229aefd34da6bb29daaf59f4aa91cbb386430abcfd72c4ce4d7f24047b81c4989670ab5d014c7c1d8cfa46cd1a2248da251429f661f4

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 ef02a20f0db596617e9596390518d0e4
SHA1 e7b93f563a3e1f818d8fc35c83eb48c445f0b4ae
SHA256 a89766280c8ea81d6f0fba8955a3e2b6cb2bbc9ea4afb9dd31ab954cbd800d87
SHA512 5a733da9424e53b9114912779205e5a0fd78490ee12d3914990706eead0a4e1a372c6bbf43978afe020e20319ee90bfafcf7215726b677e911e4993bb4cb0bb5

memory/2740-120-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2104-126-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 60ec39dc7aa72ff0c223fa8eade22f35
SHA1 f572ec5aa0e505fce4e01f72b017bfc0673870c1
SHA256 100bc479d954ca39f6d62c223fdfb93ff559c6db137ca6e1991a36744a0382bc
SHA512 c6ce0f4a323105134b6113b7e3b129785c73975b6c286a316102f869f105ae8bc6f16264fe84cc9ec518c35c7624f44ba9bb2ca067af19834a744756e0b04b57

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 c85aca85988cad269ce466526e639d7e
SHA1 c3a9659f216646b4f9095a244bb53e2c9392ec3c
SHA256 0618e6497f44f3b6a20e925d47e726da3775055cc4b6bbc9497889bb4889cf6f
SHA512 53026bc8b0dae955d6fe48ab3cd645d864853a0c762c75106d15d18c6bb593b01367960287189c167610bb60dab3223fd6faa356a85e1300908ccd41381bbe67

memory/4384-133-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3204-137-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 09d0b7a2b123b112f747dc27fbf936da
SHA1 ae84c14e0b5d6a8771a18c2fcdcef5aaa9dad5da
SHA256 d5fa10d2a4d3b15e496f822b67b2ad817caf93d5ad38a9992b890ca464cd01cb
SHA512 10684e4c7af9419f981840adfd618adadfff1e05ac45c82d65c64d995e80897e2fea053f3804d5d5e19826527f811c8954ca3e8a60080e533a0929dad7a3de81

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 6727710871b03c8613e66a270cb37c0e
SHA1 e2b4cb80999f4f9bebe79ae8283ba62a8d9a5be8
SHA256 3b2170beb9cbfc0353e5098d6f46628cc27f4b2be1fb2d7f14ae1f0c994b9853
SHA512 1bb1ff5e505d28c065903708302b7b0f200e25454e68af1a90341beb4284ceeb6dace2392c06adfa22ae3de7462f0cd4f0e721cd25d0ed423a0e3ab4b007a597

memory/3108-146-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2292-148-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2728-154-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2292-153-0x0000000000400000-0x000000000042F000-memory.dmp