b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
Size

132KB
MD5

9635e2fe9b04cbe621ead618173d54ce
SHA1

de8171b31ea2a48abb5ed193bf19d69ded0ee8ea
SHA256

b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276
SHA512

375c1db30e0b8571d335ca393139f1f1509491208023099c1b60787bebc03529272979ade6a56d16d9b177bfd2aa84c8c913aecbbcb940d85753e0d6f02e4388
SSDEEP

3072:fplN73aQUlvjHJKuKidtQjrwZ7M4W5NjapLNnAikAx:xjWrLJKuKnGML5Njcx5jx

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\UDJ7K1V\\GWF0O7V.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\UDJ7K1V\\GWF0O7V.exe\""	lsass.exe

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\UDJ7K1V\\regedit.cmd"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\UDJ7K1V\\regedit.cmd"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	lsass.exe

Executes dropped EXE 4 IoCs

pid	Process
3016	service.exe
2836	smss.exe
2196	system.exe
2908	lsass.exe

Loads dropped DLL 6 IoCs

pid	Process
2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000014ed9-149.dat	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\sDJ1U3C0 = "C:\\Windows\\system32\\IDC6J2EFJS5O5N.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0O7VJS = "C:\\Windows\\XCM1U3C.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\sDJ1U3C0 = "C:\\Windows\\system32\\IDC6J2EFJS5O5N.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0O7VJS = "C:\\Windows\\XCM1U3C.exe"	lsass.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\Y:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\V:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\O:	service.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
File opened for modification	C:\Windows\SysWOW64\IDC6J2EFJS5O5N.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\YPR2U3H	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\YPR2U3H	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\PNR1W0K.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\IDC6J2EFJS5O5N.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\IDC6J2EFJS5O5N.exe	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\PNR1W0K.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\YPR2U3H\IDC6J2E.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\PNR1W0K.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\YPR2U3H	system.exe
File opened for modification	C:\Windows\SysWOW64\IDC6J2EFJS5O5N.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\YPR2U3H\IDC6J2E.cmd	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
File opened for modification	C:\Windows\SysWOW64\PNR1W0K.exe	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\YPR2U3H\IDC6J2E.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\IDC6J2EFJS5O5N.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
File opened for modification	C:\Windows\SysWOW64\IDC6J2EFJS5O5N.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\YPR2U3H	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\YPR2U3H\IDC6J2E.cmd	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\PNR1W0K.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\YPR2U3H	service.exe
File opened for modification	C:\Windows\SysWOW64\YPR2U3H	smss.exe
File opened for modification	C:\Windows\SysWOW64\YPR2U3H\IDC6J2E.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\PNR1W0K.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\YPR2U3H\IDC6J2E.cmd	lsass.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\UDJ7K1V\winlogon.exe	smss.exe
File opened for modification	C:\Windows\UDJ7K1V\GWF0O7V.exe	service.exe
File opened for modification	C:\Windows\UDJ7K1V\service.exe	winlogon.exe
File opened for modification	C:\Windows\UDJ7K1V\regedit.cmd	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
File created	C:\Windows\MooNlight.txt	smss.exe
File opened for modification	C:\Windows\XCM1U3C.exe	service.exe
File opened for modification	C:\Windows\FJS5O5N.exe	service.exe
File opened for modification	C:\Windows\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\FJS5O5N.exe	winlogon.exe
File opened for modification	C:\Windows\lsass.exe	lsass.exe
File opened for modification	C:\Windows\UDJ7K1V\system.exe	smss.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	smss.exe
File opened for modification	C:\Windows\UDJ7K1V\TWT1X8Q.com	service.exe
File opened for modification	C:\Windows\XCM1U3C.exe	system.exe
File opened for modification	C:\Windows\UDJ7K1V\service.exe	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\XCM1U3C.exe	lsass.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	service.exe
File opened for modification	C:\Windows\UDJ7K1V\smss.exe	service.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\moonlight.dll	lsass.exe
File opened for modification	C:\Windows\UDJ7K1V\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\UDJ7K1V	system.exe
File opened for modification	C:\Windows\cypreg.dll	system.exe
File opened for modification	C:\Windows\UDJ7K1V\winlogon.exe	system.exe
File opened for modification	C:\Windows\UDJ7K1V\TWT1X8Q.com	winlogon.exe
File opened for modification	C:\Windows\cypreg.dll	lsass.exe
File opened for modification	C:\Windows\UDJ7K1V\GWF0O7V.exe	lsass.exe
File opened for modification	C:\Windows\UDJ7K1V\system.exe	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
File opened for modification	C:\Windows\UDJ7K1V	service.exe
File opened for modification	C:\Windows\UDJ7K1V\regedit.cmd	smss.exe
File opened for modification	C:\Windows\UDJ7K1V\smss.exe	lsass.exe
File opened for modification	C:\Windows\XCM1U3C.exe	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
File opened for modification	C:\Windows\UDJ7K1V\TWT1X8Q.com	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
File opened for modification	C:\Windows\moonlight.dll	service.exe
File opened for modification	C:\Windows\FJS5O5N.exe	smss.exe
File opened for modification	C:\Windows\lsass.exe	system.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	winlogon.exe
File opened for modification	C:\Windows\UDJ7K1V\regedit.cmd	winlogon.exe
File opened for modification	C:\Windows\XCM1U3C.exe	winlogon.exe
File opened for modification	C:\Windows\lsass.exe	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
File opened for modification	C:\Windows\UDJ7K1V\system.exe	lsass.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\UDJ7K1V\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\UDJ7K1V\smss.exe	winlogon.exe
File opened for modification	C:\Windows\UDJ7K1V\MYpIC.zip	system.exe
File opened for modification	C:\Windows\UDJ7K1V\smss.exe	smss.exe
File opened for modification	C:\Windows\FJS5O5N.exe	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
File opened for modification	C:\Windows\UDJ7K1V\GWF0O7V.exe	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
File opened for modification	C:\Windows\lsass.exe	service.exe
File opened for modification	C:\Windows\UDJ7K1V\regedit.cmd	system.exe
File opened for modification	C:\Windows\FJS5O5N.exe	system.exe
File opened for modification	C:\Windows\cypreg.dll	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
File opened for modification	C:\Windows\cypreg.dll	service.exe
File opened for modification	C:\Windows\UDJ7K1V	smss.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	system.exe
File opened for modification	C:\Windows\UDJ7K1V\regedit.cmd	lsass.exe
File opened for modification	C:\Windows\UDJ7K1V\service.exe	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
File opened for modification	C:\Windows\UDJ7K1V\smss.exe	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
File opened for modification	C:\Windows\UDJ7K1V\service.exe	smss.exe
File opened for modification	C:\Windows\UDJ7K1V\smss.exe	system.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
3016	service.exe
2836	smss.exe
2196	system.exe
1316	winlogon.exe
2908	lsass.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 3016	2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe	28
PID 2416 wrote to memory of 3016	2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe	28
PID 2416 wrote to memory of 3016	2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe	28
PID 2416 wrote to memory of 3016	2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe	28
PID 2416 wrote to memory of 2836	2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe	29
PID 2416 wrote to memory of 2836	2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe	29
PID 2416 wrote to memory of 2836	2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe	29
PID 2416 wrote to memory of 2836	2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe	29
PID 2416 wrote to memory of 2196	2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe	30
PID 2416 wrote to memory of 2196	2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe	30
PID 2416 wrote to memory of 2196	2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe	30
PID 2416 wrote to memory of 2196	2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe	30
PID 2416 wrote to memory of 1316	2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe	31
PID 2416 wrote to memory of 1316	2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe	31
PID 2416 wrote to memory of 1316	2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe	31
PID 2416 wrote to memory of 1316	2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe	31
PID 2416 wrote to memory of 2908	2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe	32
PID 2416 wrote to memory of 2908	2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe	32
PID 2416 wrote to memory of 2908	2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe	32
PID 2416 wrote to memory of 2908	2416	b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe	32

C:\Users\Admin\AppData\Local\Temp\b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe
"C:\Users\Admin\AppData\Local\Temp\b3e1269b978cc3e231e7b3400a474344e489a8e7a59bb7b369a9216304261276.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\UDJ7K1V\service.exe
  "C:\Windows\UDJ7K1V\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:3016
- C:\Windows\UDJ7K1V\smss.exe
  "C:\Windows\UDJ7K1V\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2836
- C:\Windows\UDJ7K1V\system.exe
  "C:\Windows\UDJ7K1V\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2196
- C:\Windows\UDJ7K1V\winlogon.exe
  "C:\Windows\UDJ7K1V\winlogon.exe"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1316
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Music\My Music.exe

Filesize
132KB

MD5
c907c4813c8830c9accce562d0074364

SHA1
2aa27df34764b96ff6afdb3bd7cdad5b9c9a113b

SHA256
3f8d1a4074127dfdff105795a99d03db119d1d84d3a6ede2a8ed1100de797dd0

SHA512
1deebeb3499a34563d2b62987f7833f185d1f893e11c03c3fef77365a71a8d95e671320ce9c4c3ece204887e22875f03d8c42f77b767e10972c1759442411272

Download Submit
C:\Windows\FJS5O5N.exe

Filesize
132KB

MD5
0902b78014a8c7df654ad40753785256

SHA1
e42a4c83f7a3ad1a3cfdf163d95fb5bb902e8344

SHA256
9a6e5155444005ff6564820443b215d59c8cafe8157f381a3d7737778132218d

SHA512
9ead7dec541b96a22798d2f99b6cd6bdb1e58254af0126b529d7a8810c54f4e56a26409315e35a7ab09e81ef1139bdf4cdfeb2011d2235c14bf2549e765a74dd

Download Submit
C:\Windows\SysWOW64\PNR1W0K.exe

Filesize
132KB

MD5
2dc61a40c4af00d46d201b1e21ea9ef6

SHA1
8f50a788811b85a7827ad81e7cf6bbce657433f7

SHA256
993dee1dd30749a0746306285e7f576bb284d5710a6ce2575704ec8a228e71be

SHA512
870a3ab108b6b3a3d9ff6ce18b4d3d7a75dca01847bc009103745bbfae6a192dfb789439e292c39e58586e49cde7311c32b55dec8d4046f655809c1a072412e5

Download Submit
C:\Windows\SysWOW64\YPR2U3H\IDC6J2E.cmd

Filesize
132KB

MD5
0f91c4b6a83ecc80e96aea92960d2b43

SHA1
6f0f8a094657abb1f0d48b686b946c8991f7b69e

SHA256
f2cde432c956cb80a2bad37df23e6f8d7eb8d227c253b385ffe8ad71588a9b60

SHA512
70c0a1cbe4cd29601c8558d02eae348b27364d63e09e63dc400f02f80975385e90117e6e23f11e9c24f540b3dca6fdb7cb85fe4bd11d1ad4874fd34256ff9580

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
eed7dd5e6b7486d8c5879b0f9894ee87

SHA1
febf56fbc3c86062c81d6eaf3d62cce21744059d

SHA256
76f4ae8b03d4f8989cf81f26902015ae805b5c3cde8891245c6dc897ebc33844

SHA512
adb80de42d1bb0643ea80e847f79c1ec8a9c4965489a9bd6d76249a43f43b6c8a75f30d10942647ef2a3078b0b132b788de5d690d653d7e3c3d823275a2c4bbd

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
127B

MD5
54516810e2a517ffbf1e64f1b66cd0ea

SHA1
e7934355d1aa722445b59cf793ce72dd13187b3f

SHA256
507bbc22843be3a4ed30c6133a8251e173e98a8d4510337175461ff0ddfe3901

SHA512
389c90800e68dddce9be14d6f6340ec7dda01764df85148e7254d7510ca687d52ce67c627238e72c3bb365226f0401f3d176d7bdd2f024eea93b45cdafb8ce12

Download Submit
C:\Windows\UDJ7K1V\GWF0O7V.exe

Filesize
132KB

MD5
b223a5178c82d98930a88f9a608d032a

SHA1
f40970a009673aabcedef6101e4d4a9599a5a647

SHA256
f711922e2b6e07a52484a1340c7809feb53a9e204312f734f45e639a347fbfa2

SHA512
a991bf47197a2d774c76818e1c94fc7eaa25fe5624526783e1455a3f7a52457083ef083602bab465dd977934756c6951ce5dbd374d4e1c606c19862555473ecc

Download Submit
C:\Windows\UDJ7K1V\GWF0O7V.exe

Filesize
132KB

MD5
b6f9563569f2419a61daac3a34a6b6d6

SHA1
6243fc25177453111a01b3aff6b82d3068d08627

SHA256
0d2b6acf303e3492c62c42eb64c10b166faedfc003f268b74bcd24d5e22155aa

SHA512
70ed51b219c338fbd457f0cf645f7c585ba26de268d0267161c4cb53694c5ff26ddca1857fe9732968ffd0a1b33085fbacdd3ef9869d8f511d9fdde8aca3b441

Download Submit
C:\Windows\UDJ7K1V\TWT1X8Q.com

Filesize
132KB

MD5
f439d535627b972bc1d35a632c9c8da3

SHA1
e2642b21991fc012c611e31a98066b10a4a9d764

SHA256
f99aacd3314efae0eca8c4c903b8c3c6932a991fa46d106737eba2ac697e1c52

SHA512
9b65f2c42aca8a8a53087c15900d6c28246b26cd8d8c99b13d2d784d6b8d4c383ae9fea5fea2f87ad2419f2910268fab859fb34d9ccabb9e99e098f1ac1d9d80

Download Submit
C:\Windows\UDJ7K1V\TWT1X8Q.com

Filesize
132KB

MD5
a89cbe7daf64b5c321f430edb3dc952c

SHA1
38c3d43fee490651844fe76c29c7655417078109

SHA256
c61b00032a77b6927384179d34b73a1144698e404c2e02004773305a931ecb12

SHA512
2f0696faf58c5ec2c09883dd7ea1b690b7246020642c141fa6d55bab5c2fcb75cffcbff2b19982494f301050958a57ec2f36e4d641c15a37262ad8c41b8b2ea5

Download Submit
C:\Windows\UDJ7K1V\regedit.cmd

Filesize
132KB

MD5
29040bab73041f08ea241aa53c82775a

SHA1
79b5156e9258138ed7e7a71052a6f1655a2527ef

SHA256
b149235079521746ab013248994e2916bfea0493247e8ae5dfdca8ece8d77409

SHA512
02d642d98fa050cafb7aae8bc98a684766ba101edf408f41c39463f151fe608c94cc54a4386d4ed50d3ed160160bdb65ae2c721789984e2c3dd16fea52c2d2eb

Download Submit
C:\Windows\UDJ7K1V\service.exe

Filesize
132KB

MD5
36e7fa77720295a9897c60aac2a48cca

SHA1
5feb2f20dae637c7c48551f01e701fb299e7bb52

SHA256
ff05d86411f87c992e1f2c6902f15c44158e6252bf39a8031940c892060e14d2

SHA512
e1e66299facde2367735d71a5a70d849179097b53ee8040902d4015d8cb398259a119ce30ebe19a8fafd7168bfbdf4e367b2054af4f66bcdcea540ae84f2657a

Download Submit
C:\Windows\UDJ7K1V\smss.exe

Filesize
132KB

MD5
1fa1f735d6c1a192c2d3a6522f771e08

SHA1
74105f3a9080f79f7b19f92354455ecbefb10dba

SHA256
a98e4b9166ba9fe5416e3342adb237aa84bd82e5684afbd183192f7f27b3ec63

SHA512
224e2a0d51ab8606639a640a6b3f1bde0b0da8ee24ad64c85f2ed079a1ddf876473d77fdaa6b6b319595b9c8d9737c170fad47158fa08bcfbb96de3d3e680f42

Download Submit
C:\Windows\UDJ7K1V\winlogon.exe

Filesize
132KB

MD5
33e0fcb6ef00ab3a3194b4f40a71df28

SHA1
6356345d5d6cc030e31da1499e16f2f8cf092345

SHA256
d6449c797a45c094ebcb8b92f10afd73dedf4e0c01c06f2c75ebad1ee287413e

SHA512
2515c61aa2ca8ee89b0c8e921875589648e24bd1765875c0e8650adbdd7db79c9b406eeaaa09c801950432b491bfca090c2cc190f4109104b5647c28a137607d

Download Submit
C:\Windows\XCM1U3C.exe

Filesize
132KB

MD5
f949635e450860f4e492d6604aa5e77f

SHA1
0c74a457aefa49092f2afcb52c1541391530e3bb

SHA256
444d818cfe1b481ad26be6a9828871698ba7ba3cd6de1689f9636ec07703aa06

SHA512
5432771a5d86f02d3c007c47147c514fe09a4caae0701f5d80b7daae4542908898b07c240d082dd8b155ff38aecf1ab7324b725714ceca4c3577f4da684ca11b

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
65a3ed6f11ee1ee326e040a1348e49c1

SHA1
fc5a7b62fca85ea1b59089ddd42c61c9a4174556

SHA256
45c87ad35ff04e777d59cf81520d85bbef33f124c029e0f66c099d9ca001b8e1

SHA512
34cf8335336f998b3f7ea37ecb90a8e0ba0e49549be9970d2a0601aa59431759bdfc12ab8210549e6b4e8b6a311f494372a63a8bab23dd8685e9166e185b870a

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
c2c497aaa61ee4a3f14827917511263c

SHA1
9f3979115a87fb02d779184885858ab5d2d4ee9b

SHA256
07928f5a5fd5b3c5f095358af8be5899fdc973832ee5c9650e4b4b168c5dae3e

SHA512
04606518e8e0d2c132abc8a7d513cfc9d5a9c514f1d04a540f559e46440048d080ba8c773c32711146d0039e6e3df4d543376290c13e576e13471a371a1bbe22

Download Submit
C:\Windows\lsass.exe

Filesize
132KB

MD5
6e455f04adfd95d67ae86278e0ec258b

SHA1
972183968c8c71544a371dbb57338ddfc6a59722

SHA256
fd8a7506162a258c948a0c8dc6df6ed2d2f039578c76e0fd20eb433c091110f9

SHA512
167a57df4a99e3d033bb0f50a5ccc150d9d752202c82ec8d4ea27876bab90725f23998a478a08414c096eb6eed510dda35849146b43f95836750aaf4411811bf

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
8e6e31f8df128a746ff9a3a38f8f78c0

SHA1
e4da9aa336eb7e254592e585b29d8b4e23f3e4bd

SHA256
dc33796b634ea14ed80a492257f698d103a57e1a041ccab92945efa8201a65f7

SHA512
eddacadcb86d8ead42185af5ce779f35dcbf262b2e12dc1cb816c3c5e35563201a839b861eb4a2cda472a5a27b2dfb76a0310d6eb94b49e9d5b58af869ef22c6

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.3MB

MD5
498f7d112a7663cb7d204f8bab8a4689

SHA1
dc034d93e9253698dc6452fad90a2ef79fb02e2c

SHA256
6e6fcf24cc1f77da8f432ae1c43e20e79761c4f584cbad410c44b3a54e3e5d45

SHA512
0cc4da260f8377c9e68f32aa07bdd13c2aa33a5578fea1e220a8f25ae5670dcccfddb65c693c3bade6191adb2ff25f505ebc9f6cdae83422413c7ddda620fcc5

Download Submit
\Windows\UDJ7K1V\system.exe

Filesize
132KB

MD5
f2b4a6a990ae35082b607bdf2a918e3b

SHA1
7048d6ec08de083dc01f2b222db98843d677524f

SHA256
f6479bcec37f6872c43c95095c3d56c8243e6b255046180ff0bb72c2209f6b8e

SHA512
e11aee5d259924fc5246f9854639b24b8e225c591315c7b8a1728ae911884e8c74b1d38666fd1939f07fea1bbed19b69e1b089fc6b2760f7da4dc6b29762fe99

Download Submit
memory/1316-259-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1316-296-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1316-250-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1316-254-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1316-242-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1316-145-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2196-246-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2196-248-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2196-263-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2196-310-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2196-253-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2196-261-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2196-262-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2196-120-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2196-285-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2196-247-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2196-241-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2416-206-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2416-47-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2416-207-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2416-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2416-54-0x00000000031B0000-0x0000000003208000-memory.dmp

Filesize
352KB

Download
memory/2416-212-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2416-209-0x0000000003920000-0x0000000003978000-memory.dmp

Filesize
352KB

Download
memory/2416-71-0x00000000031B0000-0x0000000003208000-memory.dmp

Filesize
352KB

Download
memory/2836-238-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2836-68-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2908-260-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2908-249-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3016-57-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3016-239-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3016-210-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads