Malware Analysis Report

2025-01-06 09:25

Sample ID 240601-f8a75acb72
Target fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810
SHA256 fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810

Threat Level: Known bad

The file fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Detects executables built or packed with MPress PE compressor

Modifies visibility of file extensions in Explorer

Detects executables built or packed with MPress PE compressor

Disables RegEdit via registry modification

Disables use of System Restore points

Modifies system executable filetype association

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 05:32

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 05:32

Reported

2024-06-01 05:34

Platform

win7-20240508-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Windows\xk.exe
PID 2980 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Windows\xk.exe
PID 2980 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Windows\xk.exe
PID 2980 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Windows\xk.exe
PID 2980 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2980 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2980 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2980 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2980 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2980 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2980 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2980 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2980 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2980 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2980 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2980 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2980 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2980 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2980 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2980 wrote to memory of 344 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2980 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2980 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2980 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2980 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2980 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2980 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2980 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2980 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe

"C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/2980-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 4936af21369c05c4aaa080f1920e0bf4
SHA1 b99ee596c5dd7adc36a67b502d384bd5802ca88a
SHA256 fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810
SHA512 e9f6a31597708f507790e5a5f79ce486732776700a6aba3847b903e0801540ffbc5e3f085401c0283b2f9826e97af0cb4f737c9cbfcc63a2de6e8b7871c79cec

C:\Windows\xk.exe

MD5 30491f493f652dec961fb91683d5488c
SHA1 55fa9d44ef09aa44a7b2e797f74daf6a050e357f
SHA256 cae2562077d40cceceb3d3a27bdc3c455b51f2e58d0cb68d6dbe5868d1263f24
SHA512 8e9e847d658c13ee84dcdaf62f7a9fdaf85960661e96ece329b5d44148f0f3a23596e592efcf4f8b1fecfe427a11a6893eefea7a781d0cb0d2f35314c4650f3b

memory/2980-110-0x00000000025A0000-0x00000000025CE000-memory.dmp

memory/1760-112-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2980-111-0x00000000025A0000-0x00000000025CE000-memory.dmp

memory/1760-115-0x0000000000400000-0x000000000042E000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 fb368e90a13796c654e9eadfd9cfa650
SHA1 704d478da89a1c1c309cae5dc5a17de5bbe1eb71
SHA256 8a9f5d62dc2a894f5ba66608f75fb8e925a3c13f6bc3c2cef2e62e8010fe32f0
SHA512 597db0f001a560a4076248022fc56feec84fbaa573839294c8cd8334398b75d6eb746ab78e263a45911af24bb88503e849869d0a9f5aa6819ec801b5d13a890a

memory/3012-123-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3012-126-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 a27c3271ff10d49e877bb0fc53b0c6d5
SHA1 05682a9ecb6701330909a34c39781a38bdbbb298
SHA256 43372811cf60b104e0ab09a7adbd0178e0362ab7fba7249b7b24b7765c0bd579
SHA512 dfb75e803640540ac34045a194c25a38d496036f95d9b30934cd931d43d742b47cdc0ae65af152c8243af94d66c6d172658695153020f734dfd98e1a6959231b

memory/2284-136-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 3262a0453821dff1d5ce0a7cf36ce2b0
SHA1 992ff0211dd8d46c070e0d28b9470baa28e150ac
SHA256 70a4ae5be0be725589d8075cc63f8f20d61992b9d5cfea3498cd488d09921a0d
SHA512 8a8b823423a8e8ca8969622a7e72d642d586a64b17641b053d33a80cd012921f186e04c73e0f69f5e519c6a12133c45592f065d66391e4ec09fea77240626c7b

memory/2024-146-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 b639515ac992f807a9b24d50c8694177
SHA1 fc451b000e207b4d1039dd6f72194fb4169f14be
SHA256 4500c394239b3025fe69d6d379e137a036e2649524d6535d14f75f59a6bb6247
SHA512 de6244e4519bc43f11dcb4ee9521dde58f2cfdd43c9052b8021ce8c38735ec814f4d7a91422d8f0f16482ed430bccbb264f6eca4151a70e582363851cb82d060

memory/344-156-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 c1b6ab9d2cc52443af26eefff4157d15
SHA1 820008d04020caa23a42f91d343808f538654014
SHA256 20b8d4fd53ffee6eb0e8c85470fd4f93d326ba21bd40abec384f5069b5dfb565
SHA512 7cd5d045aa81a59059522af94c28feecbc9414202f607a77b37349a1fb9228b85e015e772a5a0bee23b5778d08d54095171b53ba09ff35c6007364b88c235175

memory/2980-163-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1444-167-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 ee3b6d8c96d79dda70cc5c6cc2e28755
SHA1 b3d2ed1dbde1ce7ac3e8d0fa863e4ae2d12f0029
SHA256 27dfe729a29e3ab47a0074fc77437a223bbbb9e7f3ee7e2d0df4870b4ab600b3
SHA512 2d7abeaceec7f6e8b3e4c8766ff09f3aea1e3d5db7339f3cb496a48b2f705395f44a340c1a5bdefe7979a01f8340f4d251e3bedd3bdfe96ae3b3b800ab285086

memory/2980-180-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2880-179-0x0000000000400000-0x000000000042E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 05:32

Reported

2024-06-01 05:34

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Windows\xk.exe
PID 1848 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Windows\xk.exe
PID 1848 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Windows\xk.exe
PID 1848 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1848 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1848 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1848 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1848 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1848 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1848 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1848 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1848 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1848 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1848 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1848 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1848 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1848 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1848 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1848 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1848 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1848 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe

"C:\Users\Admin\AppData\Local\Temp\fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

memory/1848-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 4936af21369c05c4aaa080f1920e0bf4
SHA1 b99ee596c5dd7adc36a67b502d384bd5802ca88a
SHA256 fc0e5c52c79e20e68cefbf2431deaf7622dd425301ca8b83901ec17118dc5810
SHA512 e9f6a31597708f507790e5a5f79ce486732776700a6aba3847b903e0801540ffbc5e3f085401c0283b2f9826e97af0cb4f737c9cbfcc63a2de6e8b7871c79cec

C:\Windows\xk.exe

MD5 166cc65bbecc4dcf7285f2a8e9686986
SHA1 fb7e8cb2f2be8df939218defc0e11a8c0000a491
SHA256 db87371d18559a2f3b15d425b3e2a2de371dc1023185700353aa7c39068e4a43
SHA512 893fe06b649e87688b1aca3f00fd00479bfb2b89031d125d37a20c2b33da3c8e72ccf0a7c1153d60dd158db5b41ef4e0f4b90b59d39cad0b4399e37ecfc154f4

C:\Windows\SysWOW64\IExplorer.exe

MD5 69c938dbe4e452ac96355dbdc36e0483
SHA1 9484702aabd0349745353e931fec4acb02f2a581
SHA256 631ab7b6c062d3cce25c3f9ff0fa6ab6158da0ebffb5704a7305d6796f85c746
SHA512 a58bc7a617773c39564938273feda4851405f87effd726c003ed261758d69cc94faaa39be597eff9b4a018641e7e6188d627a60261cb9c43b93c75227053913c

memory/2032-113-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 cc719e737abd2f46103a83edfd013b72
SHA1 f74653890fb02975d229683316e811e40538beb7
SHA256 1dec60ea87323f65bc43c9b21c0cff86e5baf0bcee45bd4d054692f0cf3744aa
SHA512 455166f133288fd6ad948d30c55002ecad0b1673da2822201ea225bbab917cf3bcbed1958c184ad4fd6535992180700509570c5a49817c22552fa774f1ffdffd

memory/3124-124-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1340-122-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3124-126-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 72e9c2a59b713acd82753e40d7c61e8d
SHA1 21fe3a40853dc8963b580ee782cdedaf28d14f0e
SHA256 bfcd50422ff431e42f916a9404728fd598f1786527d65bfd9c3d7a2073ec5b98
SHA512 c0cfdcc86fc318f8081bef47cc5839374c0020a94f4c92e47fdfb109220221bb48fc1c0cc56bc784b114c9b8e06bc14f8fe05f98dc1e6c2ea4690b505b5f01bb

memory/4496-130-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 bd3c824313ee8ba0541b82e94b293fb4
SHA1 8335f0f828afd4917e9cae054bd9c6b3bd51c3da
SHA256 0b579b336ab5b9ca3ecaed318e28dc9cd4d1f1d34f84eca42702f6fcfb4b8e66
SHA512 a4fbc22c427f7d6bdbee685175b8225f07101ebc439365f830df095aa88571b57634e4329d583cb603c407cc01105b564f939374d157779bdada85cd8964d8af

memory/4496-136-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2684-143-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

MD5 9e17e64519f2b822bd12839425514a22
SHA1 7dddd167662d5c8d22d8e0c3485a16209c09b976
SHA256 01f3b5ae21bd8b940ecbcc00faacde2e21c51989504b5ab791aa5738bcc65109
SHA512 7f8ef7e1b5af53d9446406f315eb615a5d8bdafe595a79b3ebf3857f80089d73156d30356f5967b567081820ad55c88917a6b374c70a73c928d9df191291072a

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 060a9d0c6e1cece7fbaf43ca94501148
SHA1 a071342c0f3f4346ef277cbd51c2c122f42c3594
SHA256 92c7947a9dc1d0f57983ff51a29db9e9ef7a634af884a800fb17866021a31289
SHA512 8f2ea8eb946e8fd66ab80350d6378580fe4b2c1c5a32560e610ccbd3b0f052e0256c1fda8fb5fc76943e7598578ee673d02acd4233a381891ca94756c075158f

memory/1580-148-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3428-155-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1848-157-0x0000000000400000-0x000000000042E000-memory.dmp