ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Size

159KB
MD5

57d9e65deb45e6cdd1aa177ad9628785
SHA1

b8a1b46b455a03cb4d4a7eed05a425f91153e257
SHA256

ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0
SHA512

1b397892f054381f7fd4581d6ad1e6a88c5a919e4b53de93ba8fbf557651fc32c8b2f7847e4c7ca1f22a6722c310a76db73508f88835748010a932f731c9c2b6
SSDEEP

3072:g/5F/E7tEf0E+p+tYlpJH7iXQNgggHlxDZiYLK5WpYq:ghF4c5+wWJH7igNgjdFKsB

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe

Detects executables built or packed with MPress PE compressor 27 IoCs

resource	yara_rule
behavioral1/memory/948-0-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0008000000015d71-8.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/948-106-0x00000000004A0000-0x00000000004CF000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0007000000015f4b-110.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x00050000000193ee-113.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/772-114-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/948-115-0x00000000004A0000-0x00000000004CF000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2124-122-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000500000001940d-125.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2124-132-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2900-135-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0005000000019427-138.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2900-145-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2896-148-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/948-147-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2896-151-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0005000000019436-152.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/948-154-0x00000000004A0000-0x00000000004CF000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2728-163-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0005000000019439-162.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/948-165-0x00000000004A0000-0x00000000004CF000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1600-174-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1600-171-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0005000000019479-175.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3008-182-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3008-185-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/948-186-0x0000000000400000-0x000000000042F000-memory.dmp	INDICATOR_EXE_Packed_MPress

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
772	xk.exe
2124	IExplorer.exe
2900	WINLOGON.EXE
2896	CSRSS.EXE
2728	SERVICES.EXE
1600	LSASS.EXE
3008	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
File created	C:\Windows\SysWOW64\shell.exe	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
File created	C:\Windows\SysWOW64\Mig2.scr	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
File created	C:\Windows\xk.exe	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\Desktop\	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
772	xk.exe
2124	IExplorer.exe
2900	WINLOGON.EXE
2896	CSRSS.EXE
2728	SERVICES.EXE
1600	LSASS.EXE
3008	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 772	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	28
PID 948 wrote to memory of 772	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	28
PID 948 wrote to memory of 772	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	28
PID 948 wrote to memory of 772	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	28
PID 948 wrote to memory of 2124	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	29
PID 948 wrote to memory of 2124	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	29
PID 948 wrote to memory of 2124	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	29
PID 948 wrote to memory of 2124	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	29
PID 948 wrote to memory of 2900	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	30
PID 948 wrote to memory of 2900	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	30
PID 948 wrote to memory of 2900	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	30
PID 948 wrote to memory of 2900	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	30
PID 948 wrote to memory of 2896	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	31
PID 948 wrote to memory of 2896	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	31
PID 948 wrote to memory of 2896	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	31
PID 948 wrote to memory of 2896	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	31
PID 948 wrote to memory of 2728	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	32
PID 948 wrote to memory of 2728	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	32
PID 948 wrote to memory of 2728	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	32
PID 948 wrote to memory of 2728	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	32
PID 948 wrote to memory of 1600	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	33
PID 948 wrote to memory of 1600	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	33
PID 948 wrote to memory of 1600	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	33
PID 948 wrote to memory of 1600	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	33
PID 948 wrote to memory of 3008	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	34
PID 948 wrote to memory of 3008	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	34
PID 948 wrote to memory of 3008	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	34
PID 948 wrote to memory of 3008	948	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe

C:\Users\Admin\AppData\Local\Temp\ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe
"C:\Users\Admin\AppData\Local\Temp\ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:948
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:772
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2124
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2900
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2896
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2728
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1600
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
159KB

MD5
57d9e65deb45e6cdd1aa177ad9628785

SHA1
b8a1b46b455a03cb4d4a7eed05a425f91153e257

SHA256
ebd79f5e8d9fc747f5d17972a81009e327610aa5af33f0b2f0c428ae864793c0

SHA512
1b397892f054381f7fd4581d6ad1e6a88c5a919e4b53de93ba8fbf557651fc32c8b2f7847e4c7ca1f22a6722c310a76db73508f88835748010a932f731c9c2b6

Download Submit
C:\Windows\xk.exe

Filesize
159KB

MD5
a4ce5bf0f61aa79874bbb6399f7a6a3d

SHA1
b03c9160178e8f1cbb6f5c7e55e4235c60fc4c50

SHA256
feda562b4461a4ba4861fd5edfc15d0e7cdb034df76abd3256f3c5bf1af719f4

SHA512
fb60f54687ce12f407bc13195fb1caff42a006a29d5edc835e18033e0122c1d2cd7e5c7464091dde4909bd8319e8a7de0ca8f0ed78493c45469c05c112bbf4b2

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
159KB

MD5
fc4941a478371059783f76a29b0b8c12

SHA1
c6504ad7d292f2776044f83faad515e8f5f34586

SHA256
caad6a3cf73dfa6d382cde873ba2db15d63ff1a3030ea4f7a2c7609eb5d8b029

SHA512
a8439164cb4d5f200823d2ae4e8d7a7d4ad1a4b88cae23cf9a13021d71b40f89be5fca94a2110b0d86f7479da7817eee355778aedf72857972b136b16c2ffaf5

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
159KB

MD5
6d4bf747bbc187f8a54e3d974ae5d28f

SHA1
21eacfdd99cae15e816e291146424f3d04b635fa

SHA256
dca114f8ef351ab9ca0379d17b981ce305fd20361216a78423994b152ce450c7

SHA512
85f14fdb7458c74e4bf9bc799edc152a1264bc48c23288afe95711f5b7ffc91a295901ffb4aaee89b620d0093006994b3edf85b0f0fba53d701bce7330b2fb64

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
159KB

MD5
664d9188e5ae72d41746d6980fe6bc6d

SHA1
3f79f1bc593368998a6abd593dc4f7d05852fc9e

SHA256
b90dbeb8edfdf48e0cc95319becb8aa558efea5ea9a1a7249592d0b9823207f4

SHA512
c81c9ddc818cfc1b8975c37562e1033d241b794555b99b342f944416334f21cf2c05c6c66f87307bf908cf240701b7f3156f149f39711bf1dd97eaca936c06c1

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
159KB

MD5
1206b394449907653b940a25593f78f2

SHA1
05af6ca220ec21e81307d931f0949f1dca946ca4

SHA256
6120805e800de1cc090b491116642217cc753fd3fd3b7ce821cc65122dc12be8

SHA512
6ac629e048a42e48a0f0d921cebf5dd38121e4eea9d2e23dabbd68aca058ff25946509a8aab4cec6cc785504cc64889eab022cc3b915e382b6fb87d96877e79d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
159KB

MD5
63ec001889367b4ab0e4ea079c84caf1

SHA1
033863e3bc7a5a76a6ebd1f09f3f20f9bbf852aa

SHA256
4e97f5d04fc57295acf6b37e4722ffc5e214fd02782a6caaaa0bf85a6dc039d0

SHA512
210d95d0fec539969a52c45e53ccb93af595b6991a442e1f2ae223c935a98ba4bc3d7f537b79d0b5ae0b94763ddb8e7c04d6dacea5835049823ed5387e9ee96e

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
159KB

MD5
2791cb1e1890bf1c04482d1e84d39486

SHA1
75112d1d5db10d97e2dbe7792526a969e8b407e7

SHA256
964d98d753330312720afaf4ac54c1e43dbf40aad46f36a5b0eb20392aa542f3

SHA512
1f062827bfe22f845ac2113f08d092130b0d46389a5c32f739438accd90e8072197c5a68a8a1b517da17f857d6c6a0852397b2c34bde8dd75d9596896744549f

Download Submit
memory/772-114-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/948-144-0x00000000004A0000-0x00000000004CF000-memory.dmp

Filesize
188KB

Download
memory/948-115-0x00000000004A0000-0x00000000004CF000-memory.dmp

Filesize
188KB

Download
memory/948-131-0x00000000004A0000-0x00000000004CF000-memory.dmp

Filesize
188KB

Download
memory/948-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/948-133-0x00000000004A0000-0x00000000004CF000-memory.dmp

Filesize
188KB

Download
memory/948-106-0x00000000004A0000-0x00000000004CF000-memory.dmp

Filesize
188KB

Download
memory/948-165-0x00000000004A0000-0x00000000004CF000-memory.dmp

Filesize
188KB

Download
memory/948-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/948-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/948-154-0x00000000004A0000-0x00000000004CF000-memory.dmp

Filesize
188KB

Download
memory/1600-174-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1600-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2124-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2124-122-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2728-163-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2896-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2896-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-182-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-185-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download