0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
19/06/2024, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Size

91KB
MD5

1ad06c84941d002251f4909077d551b2
SHA1

bd6619b20b250923df604387847a47192550d123
SHA256

0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d
SHA512

76df341dd0a83c36c3453b33db54cc88f14ae7a58876c7a63caccfa14df2182ac65522cf8d9d8687cb69dbfa8911edeb7c4a7aac06c98e0f702e4c933ce3c33e
SSDEEP

1536:zAwEmBZ04faWmtN4nic+6GEAwEmBZ04faWmtN4nic+6Gf:zGms4Eton0EGms4Eton0f

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe

Detects executables built or packed with MPress PE compressor 22 IoCs

resource	yara_rule
behavioral1/memory/2956-0-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0007000000016a3a-8.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0009000000016ccd-108.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2816-112-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2816-117-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2956-118-0x0000000000350000-0x000000000037E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x00060000000171ad-116.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2448-125-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000600000001738f-128.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2448-130-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2068-140-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x00060000000173e2-141.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x00060000000173e5-151.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2208-153-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0006000000017436-162.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1696-165-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x00060000000174ef-177.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1256-176-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1660-185-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2956-184-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2956-191-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1660-190-0x0000000000400000-0x000000000042E000-memory.dmp	INDICATOR_EXE_Packed_MPress

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2816	xk.exe
2448	IExplorer.exe
2068	WINLOGON.EXE
2208	CSRSS.EXE
1696	SERVICES.EXE
1256	LSASS.EXE
1660	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mig2.scr	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
File created	C:\Windows\SysWOW64\shell.exe	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
File created	C:\Windows\xk.exe	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
2816	xk.exe
2448	IExplorer.exe
2068	WINLOGON.EXE
2208	CSRSS.EXE
1696	SERVICES.EXE
1256	LSASS.EXE
1660	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2816	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	28
PID 2956 wrote to memory of 2816	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	28
PID 2956 wrote to memory of 2816	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	28
PID 2956 wrote to memory of 2816	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	28
PID 2956 wrote to memory of 2448	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	29
PID 2956 wrote to memory of 2448	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	29
PID 2956 wrote to memory of 2448	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	29
PID 2956 wrote to memory of 2448	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	29
PID 2956 wrote to memory of 2068	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	30
PID 2956 wrote to memory of 2068	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	30
PID 2956 wrote to memory of 2068	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	30
PID 2956 wrote to memory of 2068	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	30
PID 2956 wrote to memory of 2208	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	31
PID 2956 wrote to memory of 2208	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	31
PID 2956 wrote to memory of 2208	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	31
PID 2956 wrote to memory of 2208	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	31
PID 2956 wrote to memory of 1696	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	32
PID 2956 wrote to memory of 1696	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	32
PID 2956 wrote to memory of 1696	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	32
PID 2956 wrote to memory of 1696	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	32
PID 2956 wrote to memory of 1256	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	33
PID 2956 wrote to memory of 1256	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	33
PID 2956 wrote to memory of 1256	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	33
PID 2956 wrote to memory of 1256	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	33
PID 2956 wrote to memory of 1660	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	34
PID 2956 wrote to memory of 1660	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	34
PID 2956 wrote to memory of 1660	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	34
PID 2956 wrote to memory of 1660	2956	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe

C:\Users\Admin\AppData\Local\Temp\0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe
"C:\Users\Admin\AppData\Local\Temp\0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2956
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2816
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2448
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2068
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2208
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1696
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1256
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
1ad06c84941d002251f4909077d551b2

SHA1
bd6619b20b250923df604387847a47192550d123

SHA256
0ca47f3cc10adb0e2b58ac4dbc53bf3eafd91a57fde941d20b0255b80cb6498d

SHA512
76df341dd0a83c36c3453b33db54cc88f14ae7a58876c7a63caccfa14df2182ac65522cf8d9d8687cb69dbfa8911edeb7c4a7aac06c98e0f702e4c933ce3c33e

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
e0ac4df84e5d341a6aa7d2a5012cbc10

SHA1
4c3e9d095b8590d1d636fda4572ed4b4733d72e3

SHA256
c4d811731d8a052e9b162c5bc43fa887877faf9968f0872a0e80616446ea7960

SHA512
ae1a1a386b152c563859bbd3d39378eb19e1ca962eb0443fa68a34715236a1d0928fb8d47770e40cab57f6197668bb37b50407a17f99f4137f332d4bf2ce1020

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
d74ec0828373b91166c3a1c1e7d6ba0e

SHA1
96a0394e352acc68f87696a8da27a48dcb0623c0

SHA256
c0687ec25ee4df6105bccfa95b1580fda7903311c707d6effe7874767c023f00

SHA512
79f6e6e168f53817f56616485dc29f4c194039704a95b7cf630028066c0e3dc9c64be4756a94c2c5116fda3c222f9e9fb3124b89ffac0b1ff7f7616828f67051

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
d8328d98a6d659c921e8558f37f421eb

SHA1
fe6a9e7a7113502bcd3e9e3c7426b29b1b6fade4

SHA256
cb84a546d1efa3d132caccf7c89b5965cfb45107e95cff283941480e92f475fd

SHA512
89ee73632dbea7b2aa633f7e64b105a9252e81895919b852e0d3336f412248a06bea3f1a988bccb59ac860cbc8c687f5ca862715957272e667af544821bb3997

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
a8d0252a27fbf8af0be6b1c3feb49a00

SHA1
80c954fae638eaf62b83ee2b8759f99cbbdf31d1

SHA256
1864a0ef49233ea569eab1338d44924c7bc57cc945c9bd782e4aec29573062e8

SHA512
f85b068b6d271e8e5a72c813700faeff3555e46cde0bcaf832e5fd02e42fa7321f69e2648c917e6450d029502934848d5b3c681d58cb6efca5c899fcd5357466

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
74bea64a3af45cb38f269e070aa1cb90

SHA1
7c8cd43271a2d142408ce02d3780042e511e82cf

SHA256
9f6ceea5c0ed7f08150ecf1d338003cbb4fd59b55ecd8455d98116b59eddf143

SHA512
7bd6545dc88a672a1d639b2f3814ca8ef91b432f46df9ff5e614d3ae22b1c022fc270741a06fe12c7ed711624220e3ea5ebc6a5d37c66b260722f8b5c2c5835f

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
28e66d5c1abb143e5e57664ed6d7be44

SHA1
6299404c428eeaa9825ae4f75c30f4df69b91352

SHA256
2c5dcefd22d3afb3d0cd0ddb1efabed8b6e5af3c28b13a14018eb8215a01cd93

SHA512
411e19dcbe5b9705e94deea6005b877b948cef63aa626f14b18680250748af6ec2e991d0acf57a1122030dd4a56b5141912e7899c6659514bea28faeeb444001

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
6b1ed94e0a531553ba2524f84b925250

SHA1
ecf57be3d864e20ecf00016421c0c713eab7be79

SHA256
37048f59ce59b4b8509fe70046d4dae45487be687d73c97980c2c0978d120c06

SHA512
f7baf5aac33f3a9a9b41423c9ae66f3055b984106ede9190af52e6fa90fbc39fdfcac5570579b3c794f746c6512e16571e63fab9573dd3a95ccbd52f1c1993df

Download Submit
memory/1256-176-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1660-185-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1660-190-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1696-165-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2068-140-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2208-153-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2448-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2448-130-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2816-117-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2816-112-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2956-118-0x0000000000350000-0x000000000037E000-memory.dmp

Filesize
184KB

Download
memory/2956-159-0x0000000000350000-0x000000000037E000-memory.dmp

Filesize
184KB

Download
memory/2956-137-0x0000000000350000-0x000000000037E000-memory.dmp

Filesize
184KB

Download
memory/2956-172-0x0000000000350000-0x000000000037E000-memory.dmp

Filesize
184KB

Download
memory/2956-171-0x0000000000350000-0x000000000037E000-memory.dmp

Filesize
184KB

Download
memory/2956-136-0x0000000000350000-0x000000000037E000-memory.dmp

Filesize
184KB

Download
memory/2956-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2956-110-0x0000000000350000-0x000000000037E000-memory.dmp

Filesize
184KB

Download
memory/2956-184-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2956-191-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2956-111-0x0000000000350000-0x000000000037E000-memory.dmp

Filesize
184KB

Download