4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29/06/2024, 20:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Size

91KB
MD5

5f1f5c22513cd4073f9c28f6af42efd1
SHA1

88d8d6d074c22e48a00e58f4b617e3020def6819
SHA256

4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a
SHA512

3acc4913fed2305b42c61360a34bef6a10fe3454a1c55d755e83e3d716049e70c2d91073cef902e52a5e7c33bb57ecfe3bda6bd67847e043f39dd27d07e9a483
SSDEEP

1536:ERsjdf1aM67v32Z9x5nouy8VTHRsjdf1aM67v32Z9x5nouy8VT+W:EOaHv3YpoutNHOaHv3YpoutN+W

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
1792	xk.exe
2984	IExplorer.exe
1396	WINLOGON.EXE
844	CSRSS.EXE
836	SERVICES.EXE
2812	LSASS.EXE
2848	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2220-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000015d3b-8.dat	upx
behavioral1/files/0x0007000000016835-109.dat	upx
behavioral1/memory/1792-112-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2220-118-0x00000000030A0000-0x00000000030CF000-memory.dmp	upx
behavioral1/files/0x0006000000016c78-117.dat	upx
behavioral1/memory/1792-116-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2984-125-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2984-128-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016ceb-129.dat	upx
behavioral1/files/0x0006000000016d17-140.dat	upx
behavioral1/memory/1396-139-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d2a-149.dat	upx
behavioral1/memory/844-152-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2220-158-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/836-159-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/836-164-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d32-163.dat	upx
behavioral1/memory/2812-173-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d3b-174.dat	upx
behavioral1/memory/2220-181-0x00000000030A0000-0x00000000030CF000-memory.dmp	upx
behavioral1/memory/2848-185-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2220-186-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
File created	C:\Windows\SysWOW64\shell.exe	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
File created	C:\Windows\SysWOW64\Mig2.scr	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
File created	C:\Windows\xk.exe	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
1792	xk.exe
2984	IExplorer.exe
1396	WINLOGON.EXE
844	CSRSS.EXE
836	SERVICES.EXE
2812	LSASS.EXE
2848	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1792	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	28
PID 2220 wrote to memory of 1792	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	28
PID 2220 wrote to memory of 1792	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	28
PID 2220 wrote to memory of 1792	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	28
PID 2220 wrote to memory of 2984	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	29
PID 2220 wrote to memory of 2984	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	29
PID 2220 wrote to memory of 2984	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	29
PID 2220 wrote to memory of 2984	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	29
PID 2220 wrote to memory of 1396	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	30
PID 2220 wrote to memory of 1396	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	30
PID 2220 wrote to memory of 1396	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	30
PID 2220 wrote to memory of 1396	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	30
PID 2220 wrote to memory of 844	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	31
PID 2220 wrote to memory of 844	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	31
PID 2220 wrote to memory of 844	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	31
PID 2220 wrote to memory of 844	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	31
PID 2220 wrote to memory of 836	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	32
PID 2220 wrote to memory of 836	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	32
PID 2220 wrote to memory of 836	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	32
PID 2220 wrote to memory of 836	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	32
PID 2220 wrote to memory of 2812	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	33
PID 2220 wrote to memory of 2812	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	33
PID 2220 wrote to memory of 2812	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	33
PID 2220 wrote to memory of 2812	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	33
PID 2220 wrote to memory of 2848	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	34
PID 2220 wrote to memory of 2848	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	34
PID 2220 wrote to memory of 2848	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	34
PID 2220 wrote to memory of 2848	2220	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe

C:\Users\Admin\AppData\Local\Temp\4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe
"C:\Users\Admin\AppData\Local\Temp\4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2220
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1792
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2984
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1396
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:844
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:836
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2812
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
5f1f5c22513cd4073f9c28f6af42efd1

SHA1
88d8d6d074c22e48a00e58f4b617e3020def6819

SHA256
4a11342b983b085b824b8a22500dfa0928c80b32c450f59238c5b0a6331c9a6a

SHA512
3acc4913fed2305b42c61360a34bef6a10fe3454a1c55d755e83e3d716049e70c2d91073cef902e52a5e7c33bb57ecfe3bda6bd67847e043f39dd27d07e9a483

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
a92d49d98744aa84b3921eaceaf2cfc8

SHA1
741d04a35395f2ff679f41cc8c41d7edf0f74318

SHA256
9ab528e7ae5acd7c7b2ef57489a9814f82920f44e315d5d34b913f514f5b20af

SHA512
59a4d5f43db36b9b90db3bc75da5bbff9e3fe2f459dbf5ba1bf72f53266a759a04252ba6d99d6f253b271542ed63d2ff30e8915b036f28102a56328a540c5301

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
cf0b44129369e2a1f8b76be2fec0e7c5

SHA1
caf6dff007ecb0c8d2bc6d0ae665fcd4327b27da

SHA256
97c50c057d0f994c36df086b1d4415725201c0322665ab72efea4a4789a79ed1

SHA512
7cbfadadf7d0aaa655e538fd2d1b136a40757077525d7abdbd7cc1a8e82f1fd314c318a9bd3ee801f84307f7b99071778d1e5f6abe042fcba3d05f77b9a23d3c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
a2bef56aaf8fd3befa51b53d2dbc1e58

SHA1
f46a98afe70bb76975bdc01139061a2e70440c49

SHA256
37d0baa7938633ec8760b30f85f9b31844275358a5163ea7d3b303573962083a

SHA512
9a3d4337ea8f679ad5e58f5108414c87f379f05fd570cd31085276aaa02f50e0d19ea2cb6cb2ba1a10eb1b2b946848292440c5f9edf0dac268896895e6ff35fa

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
1e2a6c9f4d7afcd3f5d950ab49a6ba70

SHA1
c6ed4cc51545bbd6d3223ac37e537f44a8e55e61

SHA256
47c3fd1f6b98608f353a0aea2aeac1afa1b39feaa6bf8b6827c8dcef743f99f1

SHA512
32fa92ab25e3f5cd9ad5a6186657e573212c804093ed260ba3b8cc463d1e040dd1c843ed35cd26dcd73cb480ac32ed9c402b8010b6c4565db99597df5f881540

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
d6486e0818eb83cb5d115a372baa0b4b

SHA1
6279572499da419ac65dc1363f145987f49bc8cb

SHA256
846f9a13827c2a6d5fd612c6235312280bd925095263bfaec2e2958c8b5e9630

SHA512
7b8c827fc0170a35c5a7bb25ea27f802512d5fb60bc363fe850f708b4ad726aff49f7afa84375b9c22b3dc8c38302fa78bb602ef0294e89a9b53690b0d306daa

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
05cfc3a05e879770165648e67844125c

SHA1
342ca03ca07debdf6d8a1b00cb56d87fa44d4f28

SHA256
b6ced04ada284400367fcb6c99ab3eea0ebed609d86a9432aa518c678a495e57

SHA512
d1dfd859bd17b4f50ff01a854ba8361817a87c0567cdd3f195214bbb405665a6825eeaf9742a2e28d47e131bfd438f350aa70836552c697ca57fa76c81feae1d

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
553963fd3d0db39bace97c71a6ce62ec

SHA1
c9199e23abde0a0882dcbcc64fe4d3377be54bb0

SHA256
d75ee145124e3889677047bb4e9872cc46c5b94c28e31d1f3f83d1e1bc4007e1

SHA512
6e2d5af44a33a7968cffb633696d1b26c72fb4c931174cbc4c0df18f91461bc8d4cb2ce4f78538776a727275f08b11b11677eecb49db232bb573897e36991aca

Download Submit
memory/836-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/836-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/844-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1396-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1792-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1792-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-110-0x00000000030A0000-0x00000000030CF000-memory.dmp

Filesize
188KB

Download
memory/2220-158-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-111-0x00000000030A0000-0x00000000030CF000-memory.dmp

Filesize
188KB

Download
memory/2220-118-0x00000000030A0000-0x00000000030CF000-memory.dmp

Filesize
188KB

Download
memory/2220-181-0x00000000030A0000-0x00000000030CF000-memory.dmp

Filesize
188KB

Download
memory/2220-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2812-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-185-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download