Malware Analysis Report

2025-01-06 11:00

Sample ID 240603-e3g8tabc7z
Target da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1
SHA256 da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1
Tags
upx evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1

Threat Level: Known bad

The file da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1 was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence

UPX dump on OEP (original entry point)

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies visibility of file extensions in Explorer

UPX dump on OEP (original entry point)

Disables RegEdit via registry modification

Disables use of System Restore points

Loads dropped DLL

Executes dropped EXE

Modifies system executable filetype association

UPX packed file

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System policy modification

Modifies Control Panel

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 04:27

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 04:27

Reported

2024-06-03 04:30

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Windows\xk.exe
PID 2932 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Windows\xk.exe
PID 2932 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Windows\xk.exe
PID 2932 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Windows\xk.exe
PID 2932 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2932 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2932 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2932 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2932 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2932 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2932 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2932 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2932 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2932 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2932 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2932 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2932 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2932 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2932 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2932 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2932 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2932 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2932 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2932 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2932 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2932 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2932 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2932 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe

"C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/2932-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\services.exe

MD5 056c0582c80df41cc6bdc31e2002a589
SHA1 d53ea58f1efb0c2086585e8b2067ca8ae5a6be49
SHA256 da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1
SHA512 0e82b0cb66a52796be67034e0de73c5e735045811315c51f846a5fd5319fb801d855423644c7f2d71fa7478ba0b23fee62f098e1ad25ff0d1ba869f8c540b515

C:\Windows\xk.exe

MD5 f11addcd13e3770ecc70309b7c33b160
SHA1 8a75fbbc54ea8bc56dd9221f7ea66cc6e7d5834e
SHA256 ff84438450a53992f14b0dbc6b657dbfc40c971b205cf9b6f1d1aa844488b15a
SHA512 bcd667719990d2b4de57c5dedb3d71e2649b3db999227710cdef38938a6baf69e44ae3fc86809eaee6339e5bd94d59bc76f4f8a64ef9a83300ed133edb80829d

memory/2916-111-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2932-110-0x0000000000510000-0x000000000053F000-memory.dmp

memory/2932-109-0x0000000000510000-0x000000000053F000-memory.dmp

memory/2916-116-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 788dfde3be5e57006351f8262faeed71
SHA1 0fc3d97578696c918fe6554b647457066cbb1279
SHA256 2d34b7cfc2c23592ba82bce1e1f85d2dff0e77672f7fcdb1de671a88d08658fd
SHA512 9d50c5c22678424abb5c11f5976dd90e0b3be7e397bad33a8d0d1bb8aefb01991faaf45a81c56116917ce79bad3daa87e44c6b41c7cdae1d7d800cfaed01930c

memory/2932-117-0x0000000000510000-0x000000000053F000-memory.dmp

memory/1968-126-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 5d7c3376d98249f2f195ffad7f379c6e
SHA1 31fb4e2279bc249fe539975061c00b5bcf622677
SHA256 6606c349c280f727aded4a0bd1ac890214baef2770b18bd9552c5b17c5bcb593
SHA512 f81441ef24ff7f9bbdf9259182e9b828597b9f09a0c630e96fa577b77530bdf8b79762589f754aee44b193a2e4f94b83068828bdbc2d062d8b6dca69a5315a6f

memory/2932-133-0x0000000000510000-0x000000000053F000-memory.dmp

memory/2572-140-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2000-146-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2000-149-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2932-157-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2008-161-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2400-169-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2400-172-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2392-183-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2932-184-0x0000000000400000-0x000000000042F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 04:27

Reported

2024-06-03 04:30

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3352 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Windows\xk.exe
PID 3352 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Windows\xk.exe
PID 3352 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Windows\xk.exe
PID 3352 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3352 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3352 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3352 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3352 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3352 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3352 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3352 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3352 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3352 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3352 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3352 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3352 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3352 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3352 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3352 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3352 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3352 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe

"C:\Users\Admin\AppData\Local\Temp\da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/3352-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 056c0582c80df41cc6bdc31e2002a589
SHA1 d53ea58f1efb0c2086585e8b2067ca8ae5a6be49
SHA256 da285a3fd1f4bcb67362a2b7c033aee2e83214073d33f3c607966f6f031941e1
SHA512 0e82b0cb66a52796be67034e0de73c5e735045811315c51f846a5fd5319fb801d855423644c7f2d71fa7478ba0b23fee62f098e1ad25ff0d1ba869f8c540b515

C:\Windows\xk.exe

MD5 041f5d1edac19b8eba91926c143fa18f
SHA1 778b64c390285650aaa28f5d42581bb94e10996a
SHA256 4e4b1088f5ea3f927399d0234a5f811b2af8ac9e2a98923c5374a00ad0647eca
SHA512 7c18509d61583d8c07206a6646842e02d5bb831ebb9233c76b67505ea7c0330b36c28e1f6122ff739909bda29980679207fce37d7cadcbab5c67ae213de35041

memory/2184-108-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2184-112-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 821135a7652210d83925d708042eae66
SHA1 a9cf7ca16ab3cfa3ec08ff04e33c24b4b0a7c848
SHA256 ec298fb919ce699c2e12a305cbde409f1348d874ab912546c63124fcc15f6451
SHA512 50d5087c3ca7c412bd08eca2f328293f0d11cb52520654873b31984ff3147f3e0791cdedb71a6ea3f1c994803883a0e8416d89b31e1c0cad3db8f5ddfebbdd69

memory/3528-119-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 a02b42c839a22c261b3223acd3db5fe5
SHA1 2291381b83557e9b2fbaf131d58cee22e82d2b10
SHA256 6f9ffe4b614af426933e536783d1564ea5fc7c54dc729707eccd4782888af7eb
SHA512 4626a6084add6f2b66ad05f01ea91fedf56d3356f7f8adccc3fe433ad0e8e863cb95a7c5d6ff1af75fb80526295742e555c25d0c8d5437ac75c379692f5c478d

memory/4564-125-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 786d66981167f42d9c6a1d74d4483818
SHA1 97bf9ed420c5e6dec7c155005ecd889d594ece33
SHA256 1a99935c70381b270b8504ed86fb81da8f68eed73a4b40d34eaa1d019d27920b
SHA512 1fa38c721cdcff80ffe630fef5608d8eb04198bc69ecfdb6138e8366710caebf07a71bda792e9c7e1c94510b632545c187bab67c2dd6cd608a793ec799f38485

memory/2944-132-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 14f4bd1e0328f0f4d69cfcbcfca374ab
SHA1 be5f4cbf7b3ec5104a1ec872dd0554630ae22afb
SHA256 8d12f63bebaa629598fb10f140a5cb4701f69b386f92f836eb9c9ed23464e961
SHA512 aa7778b485094e26302e03996fdbf88d738948db6d5b23dfeb76064feed0a11f8e8b82a20fef0949a8b87002654e1d6c62ad8a8173ef95c96b0c1cd01e8cc85f

memory/2732-138-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 2f782001de924b66d079254bbd699248
SHA1 5ec06a5ff65af08fafe6826c42024b34055d74ac
SHA256 93ec6008a90564f98a90468ea7aa377a7ab46530d0a320b1b2ffe1db0c845fbd
SHA512 1ef1f2aee6eded69e3c2ae2f39484c7eea7d38c986372056e0d0f507a7c27c61a30ed783b55027ec403ae534e6850842d1219683d80ac9f954a06ed0ac85ac4f

memory/2428-144-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 0ff99c387cff3c496a2881c8694d1be1
SHA1 5733a13c6b4f6f066d584f7e74ec367f6e2f7b1a
SHA256 7d199244fec70a849e22e816a83188a8ca1715aa9d8a288efbd86e17751325be
SHA512 eb6197d4459086a2298380a535c19b604328820e0611b9f495bb618dac7f3bb99d61668d1a1ebc4d8facf8c29102c6af9ccf0f1be6d89a3ee0776683e6972a18

memory/4832-150-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3352-152-0x0000000000400000-0x000000000042F000-memory.dmp