Malware Analysis Report

2025-01-06 12:09

Sample ID 240614-fx5btszgjn
Target e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0
SHA256 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0
Tags
upx evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0

Threat Level: Known bad

The file e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0 was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Disables RegEdit via registry modification

Disables use of System Restore points

Modifies system executable filetype association

Loads dropped DLL

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies Control Panel

Suspicious use of SetWindowsHookEx

Modifies registry class

System policy modification

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 05:16

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 05:16

Reported

2024-06-14 05:18

Platform

win7-20240220-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Windows\xk.exe
PID 2372 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Windows\xk.exe
PID 2372 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Windows\xk.exe
PID 2372 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Windows\xk.exe
PID 2372 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2372 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2372 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2372 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2372 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2372 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2372 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2372 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2372 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2372 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2372 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2372 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2372 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2372 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2372 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2372 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2372 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2372 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2372 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2372 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2372 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2372 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2372 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2372 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe

"C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/2372-0-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\services.exe

MD5 f717612ad8f03464e96f3a33d67e8c4f
SHA1 3ef4d9b8960f8909446541bde480f1edcd4149a8
SHA256 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0
SHA512 1ceea7d191284209fc1ef01321139bc1455fa03eb91339ee6d15b419e32542148efa5ce52429a5a91facadd0a9221d108ee7822890b4933d40308ef4b46da378

C:\Windows\xk.exe

MD5 ffea8ff15b205a943c198e46fe63dd4d
SHA1 ef98cf447b84fa8b4b356cd4eeeff7a0fd48172b
SHA256 e541702d0d4ce981a5d1888442be4998d62ca8f4837a6e17258fc43f97f2daaf
SHA512 1bf993572155172197dcf6665de1e0dc534afaddd190460918809bd8199f0715f809d25905cf0b3f6a43fc45b51d20aab4f396715a8da0d1494c5cc33253c33c

memory/2876-111-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2372-110-0x0000000000540000-0x0000000000570000-memory.dmp

memory/2372-109-0x0000000000540000-0x0000000000570000-memory.dmp

memory/2876-114-0x0000000000400000-0x0000000000430000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 46a867e41ec8608553494cab4a9c4382
SHA1 d7c4179369802b684a445f1654d04f232fa73bfe
SHA256 edba4a832b0b72abdea5098cb6a8e16e7e528e9974d4b3ae8a879d1e3a621abe
SHA512 5913cc239cd0c4da13100e00632342bf453da32ae0b83b640d53d4f2a6615f6cba65ae02b10f8b0c36165c6d18fa5ee14da898f79a27ab0020e80f4d4c73583b

memory/2372-116-0x0000000000540000-0x0000000000570000-memory.dmp

memory/636-125-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 0f4a62ffb6fed4afaea7cc1c8fde3c1d
SHA1 48f812dd7c51385659efbd15fefa1a4f2e60c1d1
SHA256 5b0a1d38994ebf90e149494684ddc974b20a006bbb4b30c381e42cde11af15a9
SHA512 83532c479b9ad1a3327505267f811194abc57328a917d3fcefe55eb18e0adf7bc55a9401c358ed89d387df7dab7f1d10e9a1544736802b4bcad8b9e3fa0526d8

memory/2692-133-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2692-136-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 443975720576d9c5c27474c00fe074fe
SHA1 67a2e25054b8e03fbfc7c31723eb359fff2bde3e
SHA256 6bc35a1770d75c8136a21dd63c01b28b97fe9a99d04eb616021bb7f1f9b8ce74
SHA512 1d01d0007b81ab2df8a6d3b4d0a197d7748b466ee2f3eba8880d77e892faf59b152f3fc407b4e040e3a2516e807824303848c44dd03d179d7d8262c0eff304fc

memory/2372-139-0x0000000000540000-0x0000000000570000-memory.dmp

memory/1944-147-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 ad591f38d9e9595bae90a502cabd19ae
SHA1 0e953f641b8dec2964d4a3ea4454b1eed065b001
SHA256 07eb923e70957ec310d8f896c95c7d3d7d972206f8353f8341178cfab2246aec
SHA512 820fe9b720460e78d459d896ae72e7fe37d4dfb8466b8141c7b8e620d3bf96a2d1c19adcf4c069e5afe852aec27c6ce454b68d98ad0d15e64c0e9b8817965ae8

memory/2372-151-0x0000000000540000-0x0000000000570000-memory.dmp

memory/2372-150-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1820-159-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 4d98aeea532beb7d14587a10ae9f2f61
SHA1 67e8ecb22c3b561ba31901322d4ddea6e44cf567
SHA256 135955a821933d794aec595a451eae80355121baac3b26958a60b97cab683464
SHA512 312f693cf450d00b4d32da4025da510f19a35fd88c36655abec2cc99700a4eb8a858f58761c93d10e35ea39240f1824485cd1aa98069cf861fec6c8c4302e245

memory/2372-163-0x0000000000540000-0x0000000000570000-memory.dmp

memory/2228-170-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 8e97a033098a938463c47ffd227133ce
SHA1 7c0b34cec53a71e02953259d91ffabe6dbf7ed90
SHA256 ed00a740e3315a96800c2d240c14bc734e077a008800ff49b8e4625a3b912782
SHA512 fdc9fbb12c29108b4fab1f54a5cdcaaaad7bbb3393a6990e08ade2102ea62bb84d4728f7cb2f15333d84970eba4cd66c33b9731399f0857933e9849dea3afd39

memory/1604-178-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2372-182-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1604-181-0x0000000000400000-0x0000000000430000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 05:16

Reported

2024-06-14 05:18

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4676 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Windows\xk.exe
PID 4676 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Windows\xk.exe
PID 4676 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Windows\xk.exe
PID 4676 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4676 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4676 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4676 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4676 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4676 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4676 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4676 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4676 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4676 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4676 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4676 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4676 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4676 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4676 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4676 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 4676 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 4676 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe

"C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Files

memory/4676-0-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 f717612ad8f03464e96f3a33d67e8c4f
SHA1 3ef4d9b8960f8909446541bde480f1edcd4149a8
SHA256 e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0
SHA512 1ceea7d191284209fc1ef01321139bc1455fa03eb91339ee6d15b419e32542148efa5ce52429a5a91facadd0a9221d108ee7822890b4933d40308ef4b46da378

C:\Windows\xk.exe

MD5 96269932020152a796d6b1106d5241e3
SHA1 f2020b1ebecf162fae7d38454ad106a3fa84507d
SHA256 44ccca80368a81ea7814bfa2a0b6dcf4e234e7027eca023a36af4411dedf281e
SHA512 e3fc05e30839924467d0304f4b0a0e3bb32750f4677e0848a794a86954c990788a764342938241d036d5dcba3f0e6041251366a5e6214e318664cc7940b46426

memory/1324-107-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 0ff0fe8c817ac701d82a7445ad893c43
SHA1 3ef004f77c99846e33f1492081223fe812bae818
SHA256 22d267a1c2d32ee5d4ea1a6b82bce5196d24d405379cb5819c83781c89e81355
SHA512 eb3839426c201f194c51a9837705b858cb2f3f95a97643a2563b67b50cae479de4f1b83acca37fd5d9a36a26c6d9e013465352bfe066ef4d31fe76b6a3fd6771

memory/1324-113-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4860-114-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 4e5d05ce7884144713caf8a6b71f8172
SHA1 8c5c54ab839af9836a90fbf0ce3ece96dcf99507
SHA256 d67af74f791d33e1075a0889824343875fc928e588ec05192477e994725e15e0
SHA512 15f321b781379a84ac262b8a39ec3e1d07f0914e9be90c4b7ba1dea16e748ed18b150023cd867b7f92cfa3a682f70d1cfec749e79ff0cb0e2ef03ec3a1222ad6

memory/4860-120-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3832-123-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3832-126-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 aa3edc8d432ecdb07804101dd635fb58
SHA1 4d0e0065dd8798aafd8d8f5808311ddfe4fba01b
SHA256 8732739f82fe76757be79687ae15c35926ced9cd63954668d25db854d6638eab
SHA512 374e24f2ed31151c4a6884fa59189bee6b0b76dfaaee03219f486ef5cd66966d8d9a7b54a6a52d94602a7969d60807054e1a40915156f4e80f2728e0ffc5f4c6

memory/4912-128-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4912-133-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 36e26394e775481642589c5487c05a70
SHA1 f8b86bdc2c0b0ced66d759683d8feb66177a7666
SHA256 5c001378263e585bc6ab594e4dba266cc11024e0f896b885f1914cac5d8ab33f
SHA512 3088011eec8a95aa286b779dfc036d2a2f261f184727a6fbfbe757a2ce72bd6bd9321f58693f0ba6896354540bf4ce78094307049d8c1d79d986e29a8d8918fd

memory/5048-137-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5048-139-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 4a97ae9b1ae6ac0374f163310216c884
SHA1 5f0f64fa8a47cabd0241c139b7841b8b68a53536
SHA256 2305a74d0d50c01c848a45b10cdf76804e5ff9f62276cb30a1e4e708eb4437b0
SHA512 debbeeeb2c7a61ea87093c374b7bb76f34db328ea6e226764998ec6fd5e11a6b62970553c06f31446c4c32a92727383f7ce9b16159d78585780904cda3c7add4

memory/1380-142-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

MD5 588639b2a8766babfad680e5ffcb6172
SHA1 275faeb320b1648c880528acae23f361ff412ec2
SHA256 bb30776607da0dfabfe60a2c72e6251fd0fdcffa549ac9ed6c51832c65520ca8
SHA512 98ff2ec0df8d1e35731dcad10f48c9d56b103a42a7cec94dac7b43d92f2d0163fceb2b797a8e66267a02c5bf62be60e26f98ab4e85dd6b17683ae608c797a89f

memory/3064-150-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1380-148-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3064-153-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4676-154-0x0000000000400000-0x0000000000430000-memory.dmp