Malware Analysis Report

2025-01-06 10:11

Sample ID 240601-favh4sah29
Target e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96
SHA256 e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96
Tags
upx evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96

Threat Level: Known bad

The file e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96 was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence

UPX dump on OEP (original entry point)

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

UPX dump on OEP (original entry point)

Disables RegEdit via registry modification

Disables use of System Restore points

Loads dropped DLL

UPX packed file

Executes dropped EXE

Modifies system executable filetype association

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Modifies Control Panel

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 04:40

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 04:40

Reported

2024-06-01 04:43

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Windows\xk.exe
PID 2872 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Windows\xk.exe
PID 2872 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Windows\xk.exe
PID 2872 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Windows\xk.exe
PID 2872 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2872 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2872 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2872 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2872 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2872 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2872 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2872 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2872 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2872 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2872 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2872 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2872 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2872 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2872 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2872 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2872 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2872 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2872 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2872 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2872 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2872 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2872 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2872 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe

"C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/2872-0-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\services.exe

MD5 687ff653341321e0aac3866259aa8c22
SHA1 fbccf908227ba427ddf82653a49ed0cedafac4f1
SHA256 e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96
SHA512 ac7dac6ea5ff8628c0769ef6711fe83c87f944f6a2a09dead094242f039bb389186eb78880f23ea01881c7b35f2e0f6e8be7508ac1a44c4e15625b5f94d892ed

C:\Windows\xk.exe

MD5 b9cd3dce223bd2fdd3a141a5991515a9
SHA1 3c8c8068ba8cfe161534777867b26943cd858d06
SHA256 adbb9a25f837263915bf92e93311f3ed02a02d152b5eb38ef6269dce2a579a77
SHA512 64dab91d2d083f029defc0ba39e7cd67a33e61d12082a070a5c4aac0fdab8a5688fa058c1003a34eb772b361e4f277e5f2dd781d3c1be059827cb471c93197af

memory/2660-111-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2872-110-0x00000000003D0000-0x0000000000400000-memory.dmp

memory/2872-109-0x00000000003D0000-0x0000000000400000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 f85b2492bb00cadb449812ef7873d2a5
SHA1 a56d6dc1aae11a575c2bc914b301b3ea2eca8a5d
SHA256 8dbeebc33815f1b736eb6f763a1b818447b9b53df1b21a9a0df61b4bf93728a5
SHA512 942a8add3a3a3d42ec67930bbbf664151c8e63ae97e82167d0457cc592965d2b42500c1f10fce33d6770b2a4e325b694ace5a488bedf73ee217e153889c57269

memory/2660-114-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2872-116-0x00000000003D0000-0x0000000000400000-memory.dmp

memory/2732-125-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 e48156085bf2775853b9bb87904c98f9
SHA1 8745aa165834dccb8169fcc2e2a8860253062c1a
SHA256 0b3e12a2f9d16ae06cf0b87a6f8e3fbf6b3b02008d36aa5c8d9ed1ec686257f5
SHA512 792833f5b120ea7b49530dd847bdf43960e00b984626d4c33016dd2b201e681815e58c009484b525c0b35c6fa3ae73b13a6a600eccceb370113aad7248984830

memory/2872-130-0x00000000003D0000-0x0000000000400000-memory.dmp

memory/1252-136-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 d74b133b532fd714ea0998e5f6b23d61
SHA1 323d0ab6a5c4fac04a1d5aff9ba926e586763ef3
SHA256 71975e67c62e9aff56c9fab0d03c6ce82e18b32c14a917fe3ba8d166ba6b908c
SHA512 b96761de4887685a312a42e766445cf343cf88871009ae01b276f168d9172bf16dd431c8282ce5b8dec0b29f35411e2e996002484a0397425db6748c757d9b44

memory/1544-145-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2872-144-0x00000000003D0000-0x0000000000400000-memory.dmp

memory/1544-150-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 49dba54e31d957740d2ae64c1e7100e2
SHA1 1ec92a08514bad20ae96add44000b9ab5a4ee767
SHA256 edd314a4ff5b8f4801fbc1e647d5a658d2786f59cf714b15444173bec416127b
SHA512 ff020d5c33c8e4a95627022cdb3dec15779296b99962a067fb3dd7270350c068be54b23666b43025bd7be3fa12a9c5972b0d3f0b39111a1cca89d7b7eb673740

memory/2872-151-0x00000000003D0000-0x0000000000400000-memory.dmp

memory/828-159-0x0000000000400000-0x0000000000430000-memory.dmp

memory/828-160-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 8cf9de51539c533ea30fe8f85e24bc88
SHA1 194534f83e74a35ddedf46edb297db07eda8f3de
SHA256 e925986d6fab2fca66ae015b2506c53152dd191ccfa60ae8cbe490e9c4381754
SHA512 208c7ee765cd77c0e185c82d7fc63fc896fce2dedc35e1e23370af835abeaefad3a397bb9fe231cc68af6bd14a747f74b6757d77b81fe9224c0a90b4dbd88436

memory/2872-165-0x00000000003D0000-0x0000000000400000-memory.dmp

memory/2872-169-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1192-172-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 8850004d4fb2320c84c504fd3e8a29f9
SHA1 35a53d22a9420b5c3800c513d5735e21883e9740
SHA256 5f7f1999a4d33eb9afbe99a3895986a69af96620e4b1d53acc65dce35cdb4a23
SHA512 0a0ebe8f7d12626bbea0b9cf45818221015c2287dd66bea7764184a8e14820b1ea6df04fd8b63aa92b702c611c75d097500d3a4683d10cac8f4042bfdc9a2bcf

memory/2016-180-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2016-183-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2872-184-0x0000000000400000-0x0000000000430000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 04:40

Reported

2024-06-01 04:43

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2928 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Windows\xk.exe
PID 2928 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Windows\xk.exe
PID 2928 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Windows\xk.exe
PID 2928 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2928 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2928 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2928 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2928 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2928 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2928 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2928 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2928 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2928 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2928 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2928 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2928 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2928 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2928 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2928 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2928 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2928 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe

"C:\Users\Admin\AppData\Local\Temp\e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp

Files

memory/2928-0-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 687ff653341321e0aac3866259aa8c22
SHA1 fbccf908227ba427ddf82653a49ed0cedafac4f1
SHA256 e941e12d40c517d3d0c54f63d63ea6cb8249d8f396ab7e8daf194c28217fdd96
SHA512 ac7dac6ea5ff8628c0769ef6711fe83c87f944f6a2a09dead094242f039bb389186eb78880f23ea01881c7b35f2e0f6e8be7508ac1a44c4e15625b5f94d892ed

C:\Windows\xk.exe

MD5 6a00e7098414f2d9af2e056c2b3a0165
SHA1 b43cde0892489c28c2ef1855595254742f3179d2
SHA256 83ad15a1eea3466526e344e22c371bbbf5bf31375baef78b1b6c602c6f70c73f
SHA512 21ec609c9afc8c34691f3de3c756051c5b76659bd10e53e26de68d77cd32562570f8f478ffd0f65a49e3fbcf821addf7f05684b83e8f3ef19a9d86d4cdfd3212

memory/2124-107-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 fa08cdddcec30fd473eaed94c7c643ae
SHA1 65e28ea082cf092ffb6ca0b66a7d4b2206848eff
SHA256 78cc469cfbfd892fdd164f7b5b8a2ee5b4a15bc28b54b91a9aeca58d8281419b
SHA512 9e9504ce679b976c50e709b50936d5753d014c76427141c667c9a2842133e834d730cd7cb3b4bbb295a901c18d9507f6803158dfffc192b7fbe8b1a4c9e6ffc3

memory/2080-115-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2124-114-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 d09f3755e038035872922ed638c37953
SHA1 7b33e264bd560c0181c847fd6f8b7abe0cacae78
SHA256 8cc30d05c388b90b0e4e427fbf34fdea97d4349d76647cb4e499cfaf194fda23
SHA512 d426d2e86809be5607cdbcc60331d5d6c39b3804f7eea493adecb6f597b6b88a7ea0b086a45a8730e59201a74c4ff89984cff91a57c245592f51bb78e53d2b2b

memory/2080-121-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3836-120-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3836-125-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 1aa70317c14b1787bc81a600097e4285
SHA1 1db22f4a0791df2da20d1b9beb5f02222fbc4b67
SHA256 4de76254c7cbcd22003d8fbd687c8c544437ec60133e9180d25d4c08612b2dca
SHA512 dfbc470d851b6ddba6ae791c539dcb1a3989b4dcb923cf81e744b36f5d94c5073806feee97ede10d4f0c5c8185267d42e94bfd72a6ce5e5a8bf0887abfddb2ba

memory/624-129-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 651ad6ed881d61db27c18f34d1807ebe
SHA1 3eee2b63921afbcda75bebebb2496c71e867a930
SHA256 6820e5bce333ef63eef5a0921fce59c60312b1669b906f1042b8b3f4dbdb3423
SHA512 434075ace9ec135b853209a166d85297b5c67637355d12fd967d760171bfb2c31f645621740c1e49f7fbc5b39c92b0d744638cecc426bde57bd9982a76c55387

memory/624-135-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4104-136-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 498556f7d9e52ddb5e9bb8d9ec612c13
SHA1 3d05e0b4ff0498be82a74379029a008443294261
SHA256 711bff4cbeb69dc16c21e8945913ee625774641ebaa5ab4d8807ff5c0c3ac143
SHA512 6dd87e133cd89234a0a4991800dee1df36db1115540caca8d4b62e581339c657355ccf1d31087d4fe413dbec3b7d21592ff1412108f7578a879853a7818e0acf

memory/4980-143-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4104-142-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

MD5 7a19534360f7711f957074d2ad874b46
SHA1 42784c38dc6419cace5105aaae6a4f52f66802a9
SHA256 28a8b88ec168bb53fa4a9a620660575c21b067dff18a31e20eb646c8b5f883af
SHA512 55c2f5dfd84527962fa32cc537885d00651e038ac0e09b70cfc86b21b20c9424ffcfaa4cb8c731bf997569b000c981964e6babbd928a536f93371c9519172260

memory/508-150-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4980-148-0x0000000000400000-0x0000000000430000-memory.dmp

memory/508-153-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2928-154-0x0000000000400000-0x0000000000430000-memory.dmp