a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0

Analysis

max time kernel
4s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Size

45KB
MD5

22904bd5ed107f0892cb4b0d5fe7a45f
SHA1

dcec73652ff1c8d47b313ed00b37af93e9dc6751
SHA256

a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0
SHA512

09dfe38a23a61136d93e4d8dc45def9559f64334ed80cdd03ac8e01435cb21902f2789ad519677668fefe25f37b2c4c727058806cd525f8b7fc6cfe753026d8b
SSDEEP

768:xmFQj8rM9whcqet8Wfxd9Mmnfa+TAOBJgZiPGyilSniJO14ktp7DFK+5nER:zAwEmBZ04faWmtN4nic+6GR

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe

Detects executables built or packed with MPress PE compressor 33 IoCs

resource	yara_rule
behavioral2/memory/1596-0-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0008000000023259-8.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0008000000023259-52.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1356-61-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1356-64-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002325f-67.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023261-73.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023262-78.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023263-86.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023264-92.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4676-95-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3812-89-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1492-83-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2908-76-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4900-70-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1888-60-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002325d-59.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1596-121-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0008000000023259-224.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4548-231-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002325d-229.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4548-225-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4028-236-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000700000002325f-235.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2660-242-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023261-240.dat	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023262-246.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1268-248-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023263-254.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3732-253-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x0007000000023264-259.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1732-257-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1596-264-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
1888	xk.exe
1356	IExplorer.exe
4900	WINLOGON.EXE
2908	CSRSS.EXE
1492	SERVICES.EXE
3812	LSASS.EXE
4676	SMSS.EXE

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File created	C:\desktop.ini	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\J:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\T:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\X:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\E:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\I:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\L:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\N:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\O:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\W:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\K:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\P:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\Q:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\V:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\Y:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\Z:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\G:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\H:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\M:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\R:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\S:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened (read-only)	\??\U:	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File created	C:\Windows\SysWOW64\shell.exe	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File created	C:\Windows\SysWOW64\Mig2.scr	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
File created	C:\Windows\xk.exe	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
1888	xk.exe
1356	IExplorer.exe
4900	WINLOGON.EXE
2908	CSRSS.EXE
1492	SERVICES.EXE
3812	LSASS.EXE
4676	SMSS.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 1888	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	92
PID 1596 wrote to memory of 1888	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	92
PID 1596 wrote to memory of 1888	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	92
PID 1596 wrote to memory of 1356	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	93
PID 1596 wrote to memory of 1356	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	93
PID 1596 wrote to memory of 1356	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	93
PID 1596 wrote to memory of 4900	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	94
PID 1596 wrote to memory of 4900	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	94
PID 1596 wrote to memory of 4900	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	94
PID 1596 wrote to memory of 2908	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	95
PID 1596 wrote to memory of 2908	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	95
PID 1596 wrote to memory of 2908	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	95
PID 1596 wrote to memory of 1492	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	96
PID 1596 wrote to memory of 1492	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	96
PID 1596 wrote to memory of 1492	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	96
PID 1596 wrote to memory of 3812	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	97
PID 1596 wrote to memory of 3812	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	97
PID 1596 wrote to memory of 3812	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	97
PID 1596 wrote to memory of 4676	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	98
PID 1596 wrote to memory of 4676	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	98
PID 1596 wrote to memory of 4676	1596	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe	98

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe

C:\Users\Admin\AppData\Local\Temp\a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
"C:\Users\Admin\AppData\Local\Temp\a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1596
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1888
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1356
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4900
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2908
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1492
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3812
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4676
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  PID:4548
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  PID:4028
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  PID:2660
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  PID:1268
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  PID:3732
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  PID:1732
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  PID:2432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
45KB

MD5
fe0ffdc5bb41515ef761af7cc19cf59c

SHA1
a33fac6ef1ad689197cbe2b520b5c89b4cc0457f

SHA256
12eb64bc79ff58483a92f84924e05a2cd21bb7798e5eb85f17ea05dfc4e48f88

SHA512
706263c39a8fa3052107e6574a52b9492ed267120fa785f287e15152e23865df0e144fa68c3af35b320b4c36932f473b4f65a68e17adf45726ad32a83257ad98

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
45KB

MD5
8a9c22af33849b3845b159480383fa61

SHA1
8da086d61f4d761148764f521d58256ddfecb10c

SHA256
4b454dac5010551f4736045b99c9b83e7a3068005b50ffe58e10a142c24a7122

SHA512
6696b2474f2320513f8c5ed2dfade8681d09791c77ea338b2f54085c9e69ad219b6efd72c72b5a21d8a1c1cee6679f488a27430c5c15acaae8871df654b23f42

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
45KB

MD5
060fd6cf1510393152e7dc72311e5326

SHA1
714d104e93c8526a78c87cbb29806acd9616d594

SHA256
546e3229cacd906beaeec08a2e0f6897092283e2159111fd37c1d038c4fdc0c4

SHA512
1ed897abbe8b7dcfa58c88a787e39222bb45c6376c3976f9e329dcc2b4940af95b2652f494195d5ef5e8e84657833aa69e7aef46d860aa014c3e5af7bd4a5925

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
45KB

MD5
68c16b7e84298da5baedc4fa0db099e6

SHA1
d2902a4f22dc428e24abafcd4cb04d2d17c91223

SHA256
67337043f51c014443f5bdb27d24e8713e8359fa642270ad571f6d808a24e3ae

SHA512
4097e0a8e1637336283f72d88798e56b22112256cf566486558af7260b5a62d9f110b331356d309245472a227b06b227213941a1f3ee07b4a372748950000c33

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
45KB

MD5
c3872dfde610d42014df9d67ee737a0a

SHA1
cee09ac01742fa6af9298c14ea34240f90944c4a

SHA256
8702a40701c1073fd9e6b85a8c9a503c6f9264fd779293f18f27f134ef3c7490

SHA512
a7384ed91a60f74b7770bfaba9d0a180fae0fc1c8ed9785062899d64533ba61b0aa29d5f41098f49c4e23af75a02988a0ffa4ebc0020ec25bbd8d03219942025

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
45KB

MD5
93ac9b530a577a78cb8ff20e5615755c

SHA1
602bf687d7813dce54ebbc35a019b2cdfc488403

SHA256
e0d29992231617b721da1474fbab0d5e5e38e7e01da476252d821e6d27bfefc4

SHA512
316e2da5ec767541069134108ae57586cb9dc2ed65800e6b3f0a9436057de9e4e43bdf0b62135b87445f1eb636515af41a51055905ace19477d95df9559230a8

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
45KB

MD5
3d5e89a139c6131fd92177448983b265

SHA1
10182c781896f8e3ae5f998161c1f6396733a715

SHA256
3df2f25b5bd3eb397348d094d2da5f58aa7de7f8535875b27295bf92f11b3043

SHA512
5e0f33fa8eceaa424e5dab714743964d2ce948963061bf41b94bb2549ae851a2fa579753f2df5a34741ffd2e63e4053641f032c2f4f9b3beeed30d00e8824311

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

Filesize
45KB

MD5
91925026349d9e9c1975b7945a019088

SHA1
2820bd4d70eb04005f0b1362f65f34798e710b19

SHA256
33de73cc05f9f90b541da7fa9f289b36333d5a25710540abbf6352f7845f25f2

SHA512
e42b43680e9f8039a7331531534b49ae6defb190734daabfd3438724b8ad1c4d5f8a6523d1d85bd03a237a633ab613ff283f453d989248dd39ada5a0cda9437a

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

Filesize
45KB

MD5
e38fe79aef2007c869499fe3a69c7309

SHA1
67469b566b540216057966dfa5e8d95e4609d175

SHA256
39de24ab2353479566e5585d4c350d5cc28a69b819d866fdcd2e5c3d1e4af13c

SHA512
accd5807834ffef63caec03de2d789a59065b6527025f4f0a438834369e550ad6d76ac2a6ef67d058af6865c05b5ffccbeeb2f3ebe54f5bfc4c185725e4035c4

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

Filesize
45KB

MD5
8311544230667e7f74c6603865ae6d1d

SHA1
2d84959cc048c2655b0541aa9b7ee67aeec4b629

SHA256
233ae9d30790c4f546617c24d47cf88e1c8ee9c7a6b95a2538ea3860e53473d7

SHA512
92b093b49572cb032ad33a23e52af25684fddeb3eeefcc50d7b32050e06b673e2b3ac382f5243c0649ac6c484e441e84c2957ceac119f70f968e263068513039

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
45KB

MD5
9be16973121d9d959641d7f615e88e12

SHA1
578aac46f3f0031aa52607525debf1e0cb35025c

SHA256
73ff17393ca5d247941bb3cdeff6e18534f06b81dd0105825740341ab1b2cc42

SHA512
6d6135dce255d7855a7c7069a123451291bff010c7543430290993baa80ba3f7959e80a912fa198ee2169869c55dae82ab2c2369332fa00840caf7039cdfe40b

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
45KB

MD5
00725611f09f61fdb86a8acb6e559753

SHA1
9db7e92865c31fbd7377c2ec7669f066d77f8c82

SHA256
fffd503633cc2b9c7baad591e9a614e96026e60b59a9c2989e8b7066f3fe37ff

SHA512
719dc9f2756a459d7eb23cda6300b75802139fc61fc6ca910f69e913cbd13cef297802002a4803d22e39534f23b7d5119c513af92be713135f78296962996a7f

Download Submit
C:\Windows\xk.exe

Filesize
45KB

MD5
22001c6c52981750ea6d021b9b6e6df7

SHA1
7e9a87caeeb2bd0bd75d8bbf5655782d1f33c455

SHA256
bc9e2f106fab78e30632ebd6569ad01af07c5f5bb070db06c9532abdd2b0dab4

SHA512
0033c6d0b4a0b92d1e5b1e82598416722958beed471d7668b54cbe5d41a1c6fd772bf391c5c903ceddcd77415a2f1cf816a7804c6e24040c7edc9bb2328fec0d

Download Submit
C:\Windows\xk.exe

Filesize
45KB

MD5
ff94d2a488a1e0006123ed0abc299efc

SHA1
60c73511fd31488156b66d7791c87cb5b0ae121a

SHA256
e7db22de0609e007804b03227b0338f347e4a291d9b36522879a9e87d4ebcadc

SHA512
f932fc615089d7f699bb1d194fe500bb2845af075b68c4c27915f73c455685c368e2d35ca83719d43c0107631f28210f5455852a734bc76a113d69265e9283cb

Download Submit
C:\Windows\xk.exe

Filesize
45KB

MD5
22904bd5ed107f0892cb4b0d5fe7a45f

SHA1
dcec73652ff1c8d47b313ed00b37af93e9dc6751

SHA256
a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0

SHA512
09dfe38a23a61136d93e4d8dc45def9559f64334ed80cdd03ac8e01435cb21902f2789ad519677668fefe25f37b2c4c727058806cd525f8b7fc6cfe753026d8b

Download Submit
memory/1268-248-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1356-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1356-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1492-83-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1596-121-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1596-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1596-264-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1732-257-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1888-60-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2660-242-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2908-76-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3732-253-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3812-89-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4028-236-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4548-231-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4548-225-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4676-95-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4900-70-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download