81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 02:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Size

45KB
MD5

5656b2485249835077aad5912b7994ec
SHA1

178b9f050b572a3bc55bc5d2a11f2f486fd5884f
SHA256

81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b
SHA512

7a13aa04e0d2d477d3c1a2fc565daa15445ec1efae81996a6c973a9d2a6741fa52f10f2c07fc5fe128a083e5dccb4a335325fde0434ff95f063fb2ceb60dd6e4
SSDEEP

768:PmFQj8rM9whcqet8WfuzHVHFNNqDaG0XjqGoxhz/8szBnP7DFK+5nEI:FAwEmBGz1lNNqDaG0PoxhlzmI

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe

Detects executables built or packed with MPress PE compressor 22 IoCs

resource	yara_rule
behavioral1/memory/1964-0-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000700000001451c-8.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2440-112-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000015caf-123.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000015cbf-132.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2260-143-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000015cf3-184.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1964-192-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2016-191-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2016-188-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2912-177-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2912-174-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000015cea-172.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2136-165-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000015ce2-160.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1540-155-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1540-149-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000015cd6-148.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2764-131-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2764-125-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2440-117-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000700000001473e-109.dat	INDICATOR_EXE_Packed_MPress

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2440	xk.exe
2764	IExplorer.exe
2260	WINLOGON.EXE
1540	CSRSS.EXE
2136	SERVICES.EXE
2912	LSASS.EXE
2016	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell.exe	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
File created	C:\Windows\SysWOW64\Mig2.scr	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
File created	C:\Windows\xk.exe	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
2440	xk.exe
2764	IExplorer.exe
2260	WINLOGON.EXE
1540	CSRSS.EXE
2136	SERVICES.EXE
2912	LSASS.EXE
2016	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2440	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	28
PID 1964 wrote to memory of 2440	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	28
PID 1964 wrote to memory of 2440	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	28
PID 1964 wrote to memory of 2440	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	28
PID 1964 wrote to memory of 2764	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	29
PID 1964 wrote to memory of 2764	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	29
PID 1964 wrote to memory of 2764	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	29
PID 1964 wrote to memory of 2764	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	29
PID 1964 wrote to memory of 2260	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	30
PID 1964 wrote to memory of 2260	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	30
PID 1964 wrote to memory of 2260	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	30
PID 1964 wrote to memory of 2260	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	30
PID 1964 wrote to memory of 1540	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	31
PID 1964 wrote to memory of 1540	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	31
PID 1964 wrote to memory of 1540	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	31
PID 1964 wrote to memory of 1540	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	31
PID 1964 wrote to memory of 2136	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	32
PID 1964 wrote to memory of 2136	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	32
PID 1964 wrote to memory of 2136	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	32
PID 1964 wrote to memory of 2136	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	32
PID 1964 wrote to memory of 2912	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	33
PID 1964 wrote to memory of 2912	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	33
PID 1964 wrote to memory of 2912	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	33
PID 1964 wrote to memory of 2912	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	33
PID 1964 wrote to memory of 2016	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	34
PID 1964 wrote to memory of 2016	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	34
PID 1964 wrote to memory of 2016	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	34
PID 1964 wrote to memory of 2016	1964	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe

C:\Users\Admin\AppData\Local\Temp\81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe
"C:\Users\Admin\AppData\Local\Temp\81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1964
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2440
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2764
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2260
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1540
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2136
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2912
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
45KB

MD5
95d06af0328989f928952d05a685671f

SHA1
0568cd479bb8f05e5ec15b0976ab6911eeec7677

SHA256
f4b583267cef7d4caa59294f427bf5413dbbd30b11df141cf5cfc061a3395309

SHA512
6341df59a3c7996a35e317625c3f9b7c62f8dfc744ce9f2264659c809f27fdd446dc21b3a8e27fc149312b53058e5aa0ba93857dc19b2e73ff29a91630a7edd5

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
45KB

MD5
d21d5069fd8d391634c6080e1301b690

SHA1
9490ef864c5b957165abaf664ba9420517fb0df6

SHA256
108b634306ab757a77b4b434526ec4026dd074af05d3ef3e8ff12d15d21cbaef

SHA512
ef90c52ea96a8237205054f28798b066440bf366e7e15261c6343be0b59100b8c468abf9d9bf962b102b3d8b4dc94cfff034540079a6c8253e4b3b16f5bbccf0

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
45KB

MD5
f9a8c72108e6a2c8383e9aeaa3b1b591

SHA1
64fc0520a19123f21070127b282119d282a63138

SHA256
a6e81873d29d42b55ed848f1b5b65189bc3266a627a769144261fcc7403e031a

SHA512
3d798e3ddb136e0b8f1bb45f39a6cde756f693ac8e7943661ea513412a345d1cdf28329d58d068791223fdad9ed0ae44a87f25ff1d5e2dd20e582833a8cede18

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
45KB

MD5
9ce45b9176edd2c240fc046cbd82b621

SHA1
4818652263c866390985b8c95244d4021e7c4b8d

SHA256
918370a7140f1d01270661a7b422118e4f8f78d0874e545a820cf55a333490b0

SHA512
e7e3061fd2383dd5f8850ae3d6b1c63ef77e1e89b26b911198fcea5826c2686a903ceff7130f463ba3028c9ac17b77e05d6f110832a3a816c4dd171f758a36ff

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
45KB

MD5
5656b2485249835077aad5912b7994ec

SHA1
178b9f050b572a3bc55bc5d2a11f2f486fd5884f

SHA256
81f11327008a2a6d4f8b284a7c5c62965a8a5585b0b017d514f515abfa58c85b

SHA512
7a13aa04e0d2d477d3c1a2fc565daa15445ec1efae81996a6c973a9d2a6741fa52f10f2c07fc5fe128a083e5dccb4a335325fde0434ff95f063fb2ceb60dd6e4

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
45KB

MD5
3e9e5034880c49cb89f3527d0273badf

SHA1
5dbe80ee3ae60f9b91f2d1ba0b44b8329d85bfec

SHA256
4ec0f956f5631f7f1a655a8feb11faf80495dbc54e0b78d7e5f239bed0fb1fb2

SHA512
9c2e8086e97ead3cdaa82e0ae898c4f72bb1f5c2024cccda8f906d65264643a65393c5744243f35c3138abeb26b8e4d22f6cfc3952fab9b0daa73a5a64e294c0

Download Submit
C:\Windows\xk.exe

Filesize
45KB

MD5
0c859fe75a796ba64a11a9732053d14e

SHA1
81fe8493da0896b91dc79be0f09b64fdbf0f34fb

SHA256
a21e475d1393ff48f9d9ba3d26fe606e2ccdb0ecb41bc76bb40f74dac9cd0299

SHA512
eb0012bb575f92018f1de28270a26246a2f18749e6b5845c8c375fa5d2f5e47d9c9fe46c49ad2c73f4cf5892aa9d4aa0019ed1ca8e21e76a708b9bfdd9d72815

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
45KB

MD5
d1e07934c76fa712b1dec833ee398018

SHA1
f73ac96f7cdf58c7be4ac6158c645ce5da3c3a81

SHA256
b573c8401fa424ff37dfdd9c52ae5aaf0be15b3e3cb900377d82f8d0fbe26917

SHA512
38152ee752b9175ba1b7bb0eb63b2e3c295129703c90f1ac65255d21f1da92acf42357ac06028edd9de857ecda58cb504d7c934c2b98cff8e22abd341b89d223

Download Submit
memory/1540-149-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1540-155-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1964-173-0x0000000000470000-0x000000000049E000-memory.dmp

Filesize
184KB

Download
memory/1964-161-0x0000000000470000-0x000000000049E000-memory.dmp

Filesize
184KB

Download
memory/1964-110-0x0000000000470000-0x000000000049E000-memory.dmp

Filesize
184KB

Download
memory/1964-111-0x0000000000470000-0x000000000049E000-memory.dmp

Filesize
184KB

Download
memory/1964-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1964-185-0x0000000000470000-0x000000000049E000-memory.dmp

Filesize
184KB

Download
memory/1964-124-0x0000000000470000-0x000000000049E000-memory.dmp

Filesize
184KB

Download
memory/1964-137-0x0000000000470000-0x000000000049E000-memory.dmp

Filesize
184KB

Download
memory/1964-192-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2016-188-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2016-191-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2136-165-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2260-143-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2440-117-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2440-112-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2764-131-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2764-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2912-174-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2912-177-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download