Malware Analysis Report

2025-01-06 08:57

Sample ID 240604-a2jyssfh52
Target 9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae
SHA256 9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae

Threat Level: Known bad

The file 9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Detects executables built or packed with MPress PE compressor

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Detects executables built or packed with MPress PE compressor

Disables use of System Restore points

Disables RegEdit via registry modification

Loads dropped DLL

Modifies system executable filetype association

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System policy modification

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 00:42

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 00:42

Reported

2024-06-04 00:44

Platform

win7-20240215-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Windows\xk.exe
PID 2980 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Windows\xk.exe
PID 2980 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Windows\xk.exe
PID 2980 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Windows\xk.exe
PID 2980 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2980 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2980 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2980 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2980 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2980 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2980 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2980 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2980 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2980 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2980 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2980 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2980 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2980 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2980 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2980 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2980 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2980 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2980 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2980 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2980 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2980 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2980 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2980 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe

"C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/2980-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\lsass.exe

MD5 675c0ecb442c782a6e0c29c1665988d4
SHA1 e5b110fe25824dc76726b966fb31dd6c9f44d47b
SHA256 9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae
SHA512 b860154ded6595a0f057db0d7edd42ffe1400988f5c82ceb7f61500d5d3259ff726578f1153071f569c99053ac8ab2b2dda238c13d97540e204b4ede5b4c0bca

memory/2980-105-0x0000000001E00000-0x0000000001E2E000-memory.dmp

C:\Windows\xk.exe

MD5 e064702bb338ef90849d4324fdb518b7
SHA1 687c8a80a2f59af9ebcbd7f129c7afe91c3c859f
SHA256 88a37e12219d3acfe0023335916d569c51de7b4ec2acd4a9a5d018d56abe6e29
SHA512 97c58e7c97620f6ba4cef1cfaf163cfad14d43273590cefcd9803631d2c952c89799677143d72e5a4a4dacd7e5cea7e92631b171490b348302c2e24794511c20

memory/2776-112-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2776-113-0x0000000000400000-0x000000000042E000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 b0cf16256ff5bbbaab72aab58ade3457
SHA1 13d41e5541487560fdb2b45efd10ebb156c56ef2
SHA256 e2eb121de956379053064b39008ff86676e63ba15385fb5999c289344d609cd2
SHA512 b46536efe2884782e296014270b79923c9f3e6367756d52be1fab66ecb34622324f05717d8d41e3a36c8778f9f61e566abb75eee8ce5a4f591465713d014d132

memory/2804-122-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2980-121-0x0000000001E00000-0x0000000001E2E000-memory.dmp

memory/2804-125-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 2dbd7b2207417f0fef19cb6488129c62
SHA1 00cafc947affe6e2dec6d0544b1ebe6e9825a758
SHA256 eebff995ded70f2430e4cd79c35d87e2fe96e5fb4a6c4d008f3aa6355d1277b7
SHA512 89b6df619eeeb815a31ea5987151bdc434b310fbb534ee70b3b39d443a15f4aa80e663142004f054a467800ebd84a8a80cb940a483efc5c3cb84772fd0c79f27

memory/2980-132-0x0000000001E00000-0x0000000001E2E000-memory.dmp

memory/1600-134-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1600-140-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 a7f913b77842112d68c027f23950ab54
SHA1 bfd019dc1808324caa356c12793ddb07d9d346f2
SHA256 894363804a097a4bbf3c706836e4f1c3029f6e00e5e9835258f888965b238051
SHA512 b45df9461fa7dbadf125600db76190afd5e547cecf2db88f07f2510405052a414cce28dad545d8a5afaded8a81aa31c2164eb0b667eb82e77c76cfea1aec3c1e

memory/2980-146-0x0000000001E00000-0x0000000001E2E000-memory.dmp

memory/1880-147-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1880-150-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 b4abc5436fa73fdf286d7c548d27dd3a
SHA1 6c1bcd8b6b737c4dccd57d78afac800a2fe4d078
SHA256 a50890674a7d6defe328e4abb0e62d3f90c5b46e804d6a0fbc561500dbf02e05
SHA512 0ae6edab914a539b868740cf2c249dee20d629ae5c80210e62bc7b89df3a874859aad43011f2a80f47e9609dbe3222ba2142c61191850f1a3b5ba27bdd6454ea

memory/2980-158-0x0000000000400000-0x000000000042E000-memory.dmp

memory/832-161-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 6fba8c7b4e962bcaabd57dcf3565ff70
SHA1 9925a2f9259f7b8de764a8082a6dcfa3d6b931f5
SHA256 df7d3639f5879f089d8f6210a44c858c9bc15b3e22eb92e6ca57a25fadf15056
SHA512 a0ecdb53f417423e74fc5d650aa2bcc9e7a202ac7933348f5cd3d409dafe3c690ed21ef427271e7fb814db7185e973ae1bd472e892f75fd8510298fd1d907210

memory/1240-171-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 9c673a1ec8b21be9381f17fa24bfd4c7
SHA1 8a3f468bc96888f6c15039be57e1d1b89313b117
SHA256 8f90b6df3945649c177f770dcc262baa78c72cf6470e809316712466c6fb9a6f
SHA512 ff373494e7ee8434f756864268bb18687c8f7e9fcda8f715fb5bd885e1359a4ffac652194a24a88d62f27eb9fe2d16552fc8b1b233290c03afd687161e357d0a

memory/1052-181-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2980-182-0x0000000000400000-0x000000000042E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 00:42

Reported

2024-06-04 00:45

Platform

win10v2004-20240508-en

Max time kernel

138s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3368 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Windows\xk.exe
PID 3368 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Windows\xk.exe
PID 3368 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Windows\xk.exe
PID 3368 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3368 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3368 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Windows\SysWOW64\IExplorer.exe
PID 3368 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3368 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3368 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 3368 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3368 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3368 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 3368 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3368 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3368 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 3368 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3368 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3368 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 3368 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3368 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 3368 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe

"C:\Users\Admin\AppData\Local\Temp\9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3368-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 675c0ecb442c782a6e0c29c1665988d4
SHA1 e5b110fe25824dc76726b966fb31dd6c9f44d47b
SHA256 9bf3797618557a0bc3622b24cbf9d8c7cdea04397204c21a30ec310bbdff39ae
SHA512 b860154ded6595a0f057db0d7edd42ffe1400988f5c82ceb7f61500d5d3259ff726578f1153071f569c99053ac8ab2b2dda238c13d97540e204b4ede5b4c0bca

C:\Windows\xk.exe

MD5 6191d140d534d4f9a5b4fe98925a0793
SHA1 c41eee56812314a03e2263c90c600765970fa288
SHA256 216d6a36a76ce955ea071ab48c5bf7f85b06cab54b3a526d0071b86a60b13f79
SHA512 3d544fd6cfed53c4a8ebf5ec6d534d02d11d055fb2d85509d26dea68ee98b8a65412f77dee34b55f8345dba2d424c325b8b50762249eabd11adb0e332303ba97

memory/3472-114-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 9194a75be1a781204973fe06f0813f4d
SHA1 af0ce537c661245a0fb1e5a2998f4e6700da436f
SHA256 fdcc932af6498c7109cdf8cead85c89de5c58023bb9da0d0854f15608a48f579
SHA512 a70952943a5a44e0c5b572614198a6ef0ed14ef293679acde39544d4843e9b5de7527ae5e72111a94b10ac7d1bc6d80bb7d9c9b5eda5e455b9cbb3d70bfa4535

memory/1084-115-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1084-122-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

MD5 196b826fcbb774586b839899f47a869e
SHA1 ac525ccc5df3c5ea5bd3941fcd71255f9d726faa
SHA256 471ead3dbc35504b80a467e081432313ea4c87953bdbe8cee822fe09f72644e1
SHA512 2c772431056ed6686e6f80f2129a43e1c577f6ffa6d2eedad9d2274df023e2bb14ad35a02cf0af5f2901656de48fd3e107812f62008a1834a8c50250b522185e

memory/4412-124-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4412-129-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 fe669f94571892a6b2099fe6505b4ba1
SHA1 7d7bb40fda81be2e07eebeadb500ccff05215e08
SHA256 015db5977135e0a20c106c7f1e4aee559acb250d25c46ff070916d20303f2797
SHA512 74ea81814a13991b3c37b5fc3b792f32db2d5efc698c8978c8ba2c00f4b337a4e2917c2ac1853dd0369039cd5b8a5350bea8120e799a79430e662a76be07dd1c

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 43760b7f68dbe5420d69defe48559273
SHA1 a136815aad68f523e361b26618874f58b3b15e36
SHA256 4ae49ec6e1ced6381befbe1047215dc2f36714308c5726b8d6e6a3b586f7b1c1
SHA512 0a8c8bceb05d85529c23d7d6b647c2ebda214ae6fc68ea669895416aaaf14f90ec042568d9cfcb37979cf7b6fe47886f2cb26802501d875ffe88d8009d67e8b8

memory/5096-135-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3148-141-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 8c2f500424286f04219384300e6a626e
SHA1 7d386977bf1c1ad31682bdb646d2852082a37458
SHA256 056fa4fe6835849c7ad4b9912f190518dd1bf7a29ac2e16062b291cacdb5d300
SHA512 3f74e0168be06500bf426b67645ad46c462cfe9060e60ccdd44d3b2b3d12544871b4b519abc5b5d03bc1bbb3bf96c4274f989755bd7a74c7ec4920098809205c

memory/852-147-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 e99e219bafaa6a988c1b951cbc19aee4
SHA1 8ca8c992048035630f6580dd0a44476d37cf1e19
SHA256 681dff800b992acf95ebfc49630a4857c6c8e5723ca8ea18c2389bde8f408e13
SHA512 8ede57a3fcd6bfce53dd5b7833d99d1e6be1ed3e0867f8465d0802a404f1f5742ad15ff5d2553c048e23d660154b6c6cca7c671abc6904ee495cfcc66e3ff09e

memory/3484-154-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3368-155-0x0000000000400000-0x000000000042E000-memory.dmp