Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 05:16
Behavioral task
behavioral1
Sample
e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe
Resource
win10v2004-20240508-en
General
-
Target
e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe
-
Size
232KB
-
MD5
f717612ad8f03464e96f3a33d67e8c4f
-
SHA1
3ef4d9b8960f8909446541bde480f1edcd4149a8
-
SHA256
e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0
-
SHA512
1ceea7d191284209fc1ef01321139bc1455fa03eb91339ee6d15b419e32542148efa5ce52429a5a91facadd0a9221d108ee7822890b4933d40308ef4b46da378
-
SSDEEP
3072:k/5F/E7tEf0n+p+tYlpJH7iXQNgggHlxDZiYLK5Wpk0out9rOJKqsout9e:khF4ca+wWJH7igNgjdFKsvoS9MKqsoSU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe -
UPX dump on OEP (original entry point) 24 IoCs
resource yara_rule behavioral2/memory/4676-0-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/files/0x00070000000233fb-8.dat UPX behavioral2/files/0x00070000000233ff-106.dat UPX behavioral2/memory/1324-107-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/files/0x0007000000023403-112.dat UPX behavioral2/memory/1324-113-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/4860-114-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/files/0x0007000000023405-119.dat UPX behavioral2/memory/4860-120-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/3832-123-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/3832-126-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/files/0x0007000000023406-127.dat UPX behavioral2/memory/4912-128-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/4912-133-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/files/0x0007000000023407-134.dat UPX behavioral2/memory/5048-137-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/5048-139-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/files/0x0007000000023408-141.dat UPX behavioral2/memory/1380-142-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/files/0x0007000000023409-149.dat UPX behavioral2/memory/3064-150-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/1380-148-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/3064-153-0x0000000000400000-0x0000000000430000-memory.dmp UPX behavioral2/memory/4676-154-0x0000000000400000-0x0000000000430000-memory.dmp UPX -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 7 IoCs
pid Process 1324 xk.exe 4860 IExplorer.exe 3832 WINLOGON.EXE 4912 CSRSS.EXE 5048 SERVICES.EXE 1380 LSASS.EXE 3064 SMSS.EXE -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe -
resource yara_rule behavioral2/memory/4676-0-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/files/0x00070000000233fb-8.dat upx behavioral2/files/0x00070000000233ff-106.dat upx behavioral2/memory/1324-107-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/files/0x0007000000023403-112.dat upx behavioral2/memory/1324-113-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/4860-114-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/files/0x0007000000023405-119.dat upx behavioral2/memory/4860-120-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/3832-123-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/3832-126-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/files/0x0007000000023406-127.dat upx behavioral2/memory/4912-128-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/4912-133-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/files/0x0007000000023407-134.dat upx behavioral2/memory/5048-137-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/5048-139-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/files/0x0007000000023408-141.dat upx behavioral2/memory/1380-142-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/files/0x0007000000023409-149.dat upx behavioral2/memory/3064-150-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/1380-148-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/3064-153-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral2/memory/4676-154-0x0000000000400000-0x0000000000430000-memory.dmp upx -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\IExplorer.exe e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe File opened for modification C:\Windows\SysWOW64\Mig2.scr e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe File opened for modification C:\Windows\SysWOW64\shell.exe e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe File created C:\Windows\SysWOW64\shell.exe e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe File created C:\Windows\SysWOW64\Mig2.scr e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\xk.exe e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe File created C:\Windows\xk.exe e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe -
Modifies Control Panel 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 1324 xk.exe 4860 IExplorer.exe 3832 WINLOGON.EXE 4912 CSRSS.EXE 5048 SERVICES.EXE 1380 LSASS.EXE 3064 SMSS.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4676 wrote to memory of 1324 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 82 PID 4676 wrote to memory of 1324 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 82 PID 4676 wrote to memory of 1324 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 82 PID 4676 wrote to memory of 4860 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 83 PID 4676 wrote to memory of 4860 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 83 PID 4676 wrote to memory of 4860 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 83 PID 4676 wrote to memory of 3832 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 85 PID 4676 wrote to memory of 3832 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 85 PID 4676 wrote to memory of 3832 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 85 PID 4676 wrote to memory of 4912 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 86 PID 4676 wrote to memory of 4912 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 86 PID 4676 wrote to memory of 4912 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 86 PID 4676 wrote to memory of 5048 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 88 PID 4676 wrote to memory of 5048 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 88 PID 4676 wrote to memory of 5048 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 88 PID 4676 wrote to memory of 1380 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 89 PID 4676 wrote to memory of 1380 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 89 PID 4676 wrote to memory of 1380 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 89 PID 4676 wrote to memory of 3064 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 90 PID 4676 wrote to memory of 3064 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 90 PID 4676 wrote to memory of 3064 4676 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe 90 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe"C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4676 -
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1324
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4860
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3832
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4912
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5048
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1380
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3064
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232KB
MD5aa3edc8d432ecdb07804101dd635fb58
SHA14d0e0065dd8798aafd8d8f5808311ddfe4fba01b
SHA2568732739f82fe76757be79687ae15c35926ced9cd63954668d25db854d6638eab
SHA512374e24f2ed31151c4a6884fa59189bee6b0b76dfaaee03219f486ef5cd66966d8d9a7b54a6a52d94602a7969d60807054e1a40915156f4e80f2728e0ffc5f4c6
-
Filesize
232KB
MD54a97ae9b1ae6ac0374f163310216c884
SHA15f0f64fa8a47cabd0241c139b7841b8b68a53536
SHA2562305a74d0d50c01c848a45b10cdf76804e5ff9f62276cb30a1e4e708eb4437b0
SHA512debbeeeb2c7a61ea87093c374b7bb76f34db328ea6e226764998ec6fd5e11a6b62970553c06f31446c4c32a92727383f7ce9b16159d78585780904cda3c7add4
-
Filesize
232KB
MD536e26394e775481642589c5487c05a70
SHA1f8b86bdc2c0b0ced66d759683d8feb66177a7666
SHA2565c001378263e585bc6ab594e4dba266cc11024e0f896b885f1914cac5d8ab33f
SHA5123088011eec8a95aa286b779dfc036d2a2f261f184727a6fbfbe757a2ce72bd6bd9321f58693f0ba6896354540bf4ce78094307049d8c1d79d986e29a8d8918fd
-
Filesize
232KB
MD54e5d05ce7884144713caf8a6b71f8172
SHA18c5c54ab839af9836a90fbf0ce3ece96dcf99507
SHA256d67af74f791d33e1075a0889824343875fc928e588ec05192477e994725e15e0
SHA51215f321b781379a84ac262b8a39ec3e1d07f0914e9be90c4b7ba1dea16e748ed18b150023cd867b7f92cfa3a682f70d1cfec749e79ff0cb0e2ef03ec3a1222ad6
-
Filesize
232KB
MD5f717612ad8f03464e96f3a33d67e8c4f
SHA13ef4d9b8960f8909446541bde480f1edcd4149a8
SHA256e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0
SHA5121ceea7d191284209fc1ef01321139bc1455fa03eb91339ee6d15b419e32542148efa5ce52429a5a91facadd0a9221d108ee7822890b4933d40308ef4b46da378
-
Filesize
232KB
MD5588639b2a8766babfad680e5ffcb6172
SHA1275faeb320b1648c880528acae23f361ff412ec2
SHA256bb30776607da0dfabfe60a2c72e6251fd0fdcffa549ac9ed6c51832c65520ca8
SHA51298ff2ec0df8d1e35731dcad10f48c9d56b103a42a7cec94dac7b43d92f2d0163fceb2b797a8e66267a02c5bf62be60e26f98ab4e85dd6b17683ae608c797a89f
-
Filesize
232KB
MD50ff0fe8c817ac701d82a7445ad893c43
SHA13ef004f77c99846e33f1492081223fe812bae818
SHA25622d267a1c2d32ee5d4ea1a6b82bce5196d24d405379cb5819c83781c89e81355
SHA512eb3839426c201f194c51a9837705b858cb2f3f95a97643a2563b67b50cae479de4f1b83acca37fd5d9a36a26c6d9e013465352bfe066ef4d31fe76b6a3fd6771
-
Filesize
232KB
MD596269932020152a796d6b1106d5241e3
SHA1f2020b1ebecf162fae7d38454ad106a3fa84507d
SHA25644ccca80368a81ea7814bfa2a0b6dcf4e234e7027eca023a36af4411dedf281e
SHA512e3fc05e30839924467d0304f4b0a0e3bb32750f4677e0848a794a86954c990788a764342938241d036d5dcba3f0e6041251366a5e6214e318664cc7940b46426