Malware Analysis Report

2025-01-06 09:33

Sample ID 240601-fydkhabb3t
Target f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d
SHA256 f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d

Threat Level: Known bad

The file f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Detects executables built or packed with MPress PE compressor

Modifies visibility of file extensions in Explorer

Modifies WinLogon for persistence

Detects executables built or packed with MPress PE compressor

Disables use of System Restore points

Disables RegEdit via registry modification

Modifies system executable filetype association

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System policy modification

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 05:16

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 05:16

Reported

2024-06-01 05:19

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2696 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Windows\xk.exe
PID 2696 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Windows\xk.exe
PID 2696 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Windows\xk.exe
PID 2696 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Windows\xk.exe
PID 2696 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2696 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2696 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2696 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2696 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2696 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2696 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2696 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2696 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2696 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2696 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2696 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2696 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2696 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2696 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2696 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2696 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2696 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2696 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2696 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2696 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2696 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2696 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2696 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe

"C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/2696-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 8c98582a916c21dd0a965a3dccebee45
SHA1 248bd6511dba66e2d93c597bf07d623ff77c015d
SHA256 f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d
SHA512 bba791dc30668656863850cd3f85a4c3232d2f6a6ddf4fd1bcc3241addaaac1daf9235392276019e36bfa635e0df10f49caaec70c6b0c6e28447dc0f1b47c7c8

C:\Windows\xk.exe

MD5 f8502ce7f97066e8cc1559b0632f50bb
SHA1 688996b4969dbc14683839f9352df2321fad6f46
SHA256 583b97bae49d24a02857bf2d52249a9540e363c513a30cb8d77369f566fb225e
SHA512 32d501fd350d963b1efbdebf7219760d3f77bf561913daab41bc1ee517e93f5a53466c0e72e0bf6654b52c9f6754e1bd57f01167974a72a6dd91bbe2c0ca78b7

memory/2696-111-0x0000000000430000-0x000000000045E000-memory.dmp

memory/2696-110-0x0000000000430000-0x000000000045E000-memory.dmp

memory/1476-112-0x0000000000400000-0x000000000042E000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 f3db0defb375fa9c016fb0dd380225bc
SHA1 3a9d6d8baf56309c32fd965f42268b025b87fcf7
SHA256 dcbb759d1586981c067f0eb6e63c32870260801da5965239c7d3cac3d62383e0
SHA512 e6813be0c1ed4bf3fa43f90e86590363acc0fff54727aa3b517790b9571d66c11a2bb3ec27f59f2565ca214d0b78af2eb7d0ca07f3b1b634b797dcd792d96d04

memory/1476-117-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2696-118-0x0000000000430000-0x000000000045E000-memory.dmp

memory/1488-127-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 cc7da6a398b0ac1d6435e62ca0b5ca68
SHA1 1859bbbe0312183bb51b8050b3c1f23fb8447f25
SHA256 5f27742d700fb8633d8143ffef38fff8062c6b5758431d214f2bde8bc4ad8928
SHA512 abba7761babb0c3d6363fd90d61a27244f264c7e14b3e846957c0f19e574a7e430033dc7ffd16e25174d23fbdad307b7bd3990f54745effae15de4d92143801c

memory/2696-137-0x0000000000430000-0x000000000045E000-memory.dmp

memory/1864-139-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2696-138-0x0000000000430000-0x000000000045E000-memory.dmp

memory/1864-140-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 4c08e8349034b2f46527150ffdcd2667
SHA1 6a82c488c0e81f280b1cd5e6fceecc43b246beae
SHA256 24e8f86123c1ceaa1ea9f39e5d67986baec20d604eed8a75eb2d7891ed42611b
SHA512 88e42ee6c338be24b7da5554b698ac8a9b7b2c5f8c6f1dd34ebc8d9644602fbd0928443d462ac8856744c076a28e5d12871fef451fc6f13887b12df5a26f2ba9

memory/1856-150-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 e0e4766d966f4afba13158207cf5f6f0
SHA1 de7d7450f1d5f8d2c7a976f838d30b13ca77f4a3
SHA256 e23d23d4993cd7ebcc463fc3b1d4a9b8301a91cf05ab4e36d0f11e7191680130
SHA512 099f5ed1c03691703bd492d92db27d8e40269c7c633465510163d54912853046766e37a2557053da590447c798c96c1ee75079d7b8faeac6a017492fb1f6427b

memory/2696-160-0x0000000000430000-0x000000000045E000-memory.dmp

memory/296-161-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 651571865fdb41d1cc8e5b79147ad467
SHA1 72269e6f702fbaabb24430167ff69f4e27621306
SHA256 a5edcc2fae4de09ce88db77efea9d5fced7f802fb659c240f78321bc39825035
SHA512 fef600a0763006ca682965b5fd4fda105721bcf87e99c3ad3117b73c59457ca11a42cd823d64d102acb099d9144054544f3c220ad8fff0178bdc4fcc6293c6fe

memory/296-170-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2696-171-0x0000000000430000-0x000000000045E000-memory.dmp

memory/2244-174-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 5e414da6d626ee3b6d10e8b244868b65
SHA1 64fe94dea6f235bd7717641dd0466264502268be
SHA256 5d6432708eb5af1164c5852aa1edf709f7530f1cff5bdff2c013107828d7f9da
SHA512 e30ee321f498207195151eaa6e2f8975be1ea6a7ec5cc17897b5b5501533dea518f6e16985acd9a98de0878d4515897eee7235097956aa22440456cb19b31d19

memory/2696-181-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2696-183-0x0000000000430000-0x000000000045E000-memory.dmp

memory/2708-187-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2696-188-0x0000000000400000-0x000000000042E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 05:16

Reported

2024-06-01 05:19

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Windows\xk.exe
PID 1976 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Windows\xk.exe
PID 1976 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Windows\xk.exe
PID 1976 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1976 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1976 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Windows\SysWOW64\IExplorer.exe
PID 1976 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1976 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1976 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 1976 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1976 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1976 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 1976 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1976 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1976 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 1976 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1976 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1976 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 1976 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1976 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 1976 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe

"C:\Users\Admin\AppData\Local\Temp\f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

memory/1976-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 8c98582a916c21dd0a965a3dccebee45
SHA1 248bd6511dba66e2d93c597bf07d623ff77c015d
SHA256 f5e66e960a2bdf55160abb4706bdfdae2f56247b55bf7ce30aada89bbbd4688d
SHA512 bba791dc30668656863850cd3f85a4c3232d2f6a6ddf4fd1bcc3241addaaac1daf9235392276019e36bfa635e0df10f49caaec70c6b0c6e28447dc0f1b47c7c8

C:\Windows\xk.exe

MD5 271e22493df82e3b7a30c95b93953e05
SHA1 881e563381c4ba9851fdb905de4f357a2dc98708
SHA256 f614c6fb7f229948293ff54a2d476afee424c53cb770759b979fb68018d90fdc
SHA512 68e39d225c6f2385b88db119a9db57b909df64e215a98c811d1e85ef2ac945afc76b491999b5c1ee40e041986678d0189b78b191c53f5b2b046a5dc2119f5ff1

memory/1960-108-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 9ffc820f898bf6c345e67cba63717761
SHA1 d2712034da5adabf6edb4c024cb0adc6299b5f68
SHA256 43cbe72b3820da5f75cde597f7bfdceba049fba5981fc39fd0eea190009fe006
SHA512 2bac4d376af8de119698f946a15e620d174104bc9521ab7da9af766f0fafe1fb31e270e53d247480e889b704a53e5eabf8d1ca7c52de2538e3d60e2e6046874b

memory/1960-115-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1208-118-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 2a1680a6ca3ec78ceb485a92665259bd
SHA1 c345e3b32c589f376b7564ac8d9c2da9419d7cd0
SHA256 a5b8e34271f597634d2f02a0a4565bf6ede3d1333f8cbae6a8490456bec160c1
SHA512 f3a4a2f74b1d8640aac01371c53172926c8d5406d92748b90646ecc4261c60c058fc18d300e3be959cf70463ad3786a8a978840e0564a9bd3c09821592a67ea3

memory/2680-124-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 1899241d2e80c08ac5558483686503fc
SHA1 0d27aa4b75bbbe1e368e9db3f410102fb7f181fe
SHA256 1f55ecb25f171858f431be4addc3dada100d77246fdaa58e2c514b2405156f30
SHA512 89221b37cb120a03b8500540be6697fd0e0dee0753e1069963efe4722392a2d9ad8d2ee1c3fdc56e8f6ffc73b37f7ef066574844d7f49b9019b4146fba0e7d02

memory/3148-131-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 3ee5bc34030369d39fbf768f789b097d
SHA1 40e0a202b73e3fcd040df6a59530c14c076554e3
SHA256 de90457422568a68d6aaa3d92d050e18f04d0b184ecf31f6f0e3a35d41bf186d
SHA512 d0f6d17e81c1e8c3bbee29fc81a17d8547a7d573dfe58941e6ab0cb0760b488fe56c50e144f2627a17b1ad1e0f37aac95a41efe41d775901d51c356e3a1903d4

memory/5032-138-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 85f10280ce8b74d5fe62e9ac32d2d722
SHA1 9b1f402f5573e71413aac691e4a140db0a738625
SHA256 62e4be24db5c3ae671db7da3968847ef2f596d2e6e450b16a4eab8ef06d91270
SHA512 5c63ba2f9db65bf16fc41346ce73894f9c9fd92073dfa5ce228dca5b69385ed2c1d00cc0bb1371de2cd94b430eeecdad21274db08c3037e69d838b0c996e1bd4

memory/624-144-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 134181ecbb32c64eb9e1d12f8bd6a54c
SHA1 463e5b44ae2f9e2b17df3cad235978ba00e34da3
SHA256 b99c59aad7caad8aae72327fbcdc60b82955c6f3e0aa14953964d9399d4f90b2
SHA512 c3662534b8cf127e72e12b36dfc0ba9b7c236594d51d153787426d3e8f6960807c3725801a92063783e091e0e54562d4ce2e8ecca5e51a65ccdb6ce0087faf10

memory/2820-148-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2820-152-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1976-153-0x0000000000400000-0x000000000042E000-memory.dmp