533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
Size

441KB
MD5

2d269fca9378a8406f64786c56e06091
SHA1

fe662ac67fb814c6d9147cfec9bde7e601e2e341
SHA256

533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30
SHA512

2dbb7d75905eae9c878b9a82963b64533a66f85decbd396fb5ddee1de1814a918393d7ffb25b14675a75bb27c92a7718f42c775f98e9a890bd0da4af39469b64
SSDEEP

6144:4eHwXUljWrLJKuKnGML5NjcxFSsQLH5At:4yMU0g5NjaFSsPt

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\XGM8N2Y\\JYI1R8Y.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\XGM8N2Y\\JYI1R8Y.exe\""	lsass.exe

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\XGM8N2Y\\regedit.cmd"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\XGM8N2Y\\regedit.cmd"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	lsass.exe

Executes dropped EXE 4 IoCs

pid	Process
3024	service.exe
2356	smss.exe
2916	system.exe
1008	lsass.exe

Loads dropped DLL 5 IoCs

pid	Process
2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sGM2W4F0 = "C:\\Windows\\system32\\LGF7L3HHMV6R6P.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0R8YMV = "C:\\Windows\\CFP2W4F.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\sGM2W4F0 = "C:\\Windows\\system32\\LGF7L3HHMV6R6P.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0R8YMV = "C:\\Windows\\CFP2W4F.exe"	lsass.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\V:	service.exe
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\Y:	service.exe
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\X:	service.exe

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DSU3X4J\LGF7L3H.cmd	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\LGF7L3HHMV6R6P.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\RQU2C1M.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\DSU3X4J	smss.exe
File opened for modification	C:\Windows\SysWOW64\LGF7L3HHMV6R6P.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\DSU3X4J	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\RQU2C1M.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\LGF7L3HHMV6R6P.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\RQU2C1M.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\DSU3X4J\LGF7L3H.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\SysWOW64\LGF7L3HHMV6R6P.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\SysWOW64\DSU3X4J\LGF7L3H.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\DSU3X4J\LGF7L3H.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\RQU2C1M.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\DSU3X4J\LGF7L3H.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\LGF7L3HHMV6R6P.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\DSU3X4J	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\SysWOW64\RQU2C1M.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\DSU3X4J	system.exe
File opened for modification	C:\Windows\SysWOW64\DSU3X4J	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\XGM8N2Y\regedit.cmd	system.exe
File opened for modification	C:\Windows\XGM8N2Y\JYI1R8Y.exe	system.exe
File opened for modification	C:\Windows\cypreg.dll	lsass.exe
File opened for modification	C:\Windows\XGM8N2Y\smss.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\CFP2W4F.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\XGM8N2Y\service.exe	smss.exe
File opened for modification	C:\Windows\XGM8N2Y\service.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\XGM8N2Y\service.exe	service.exe
File opened for modification	C:\Windows\lsass.exe	smss.exe
File opened for modification	C:\Windows\XGM8N2Y\regedit.cmd	lsass.exe
File opened for modification	C:\Windows\XGM8N2Y\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\XGM8N2Y\WCW2D0T.com	lsass.exe
File opened for modification	C:\Windows\HMV6R6P.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\XGM8N2Y\WCW2D0T.com	smss.exe
File opened for modification	C:\Windows\cypreg.dll	system.exe
File opened for modification	C:\Windows\XGM8N2Y	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\XGM8N2Y\service.exe	system.exe
File opened for modification	C:\Windows\XGM8N2Y	lsass.exe
File opened for modification	C:\Windows\HMV6R6P.exe	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\CFP2W4F.exe	service.exe
File opened for modification	C:\Windows\HMV6R6P.exe	smss.exe
File opened for modification	C:\Windows\XGM8N2Y\winlogon.exe	system.exe
File opened for modification	C:\Windows\XGM8N2Y	service.exe
File opened for modification	C:\Windows\lsass.exe	lsass.exe
File opened for modification	C:\Windows\cypreg.dll	smss.exe
File opened for modification	C:\Windows\XGM8N2Y\system.exe	system.exe
File opened for modification	C:\Windows\XGM8N2Y\smss.exe	system.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\XGM8N2Y\system.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\XGM8N2Y\WCW2D0T.com	service.exe
File opened for modification	C:\Windows\XGM8N2Y\JYI1R8Y.exe	service.exe
File opened for modification	C:\Windows\XGM8N2Y	smss.exe
File opened for modification	C:\Windows\CFP2W4F.exe	lsass.exe
File opened for modification	C:\Windows\lsass.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\XGM8N2Y\regedit.cmd	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\XGM8N2Y\WCW2D0T.com	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\XGM8N2Y\JYI1R8Y.exe	lsass.exe
File opened for modification	C:\Windows\cypreg.dll	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\XGM8N2Y\system.exe	service.exe
File opened for modification	C:\Windows\CFP2W4F.exe	smss.exe
File opened for modification	C:\Windows\HMV6R6P.exe	system.exe
File opened for modification	C:\Windows\XGM8N2Y\smss.exe	smss.exe
File opened for modification	C:\Windows\XGM8N2Y	system.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\XGM8N2Y\WCW2D0T.com	system.exe
File opened for modification	C:\Windows\XGM8N2Y\smss.exe	service.exe
File opened for modification	C:\Windows\XGM8N2Y\winlogon.exe	smss.exe
File opened for modification	C:\Windows\XGM8N2Y\system.exe	smss.exe
File opened for modification	C:\Windows\XGM8N2Y\JYI1R8Y.exe	smss.exe
File created	C:\Windows\MooNlight.txt	smss.exe
File opened for modification	C:\Windows\XGM8N2Y\service.exe	lsass.exe
File opened for modification	C:\Windows\XGM8N2Y\system.exe	lsass.exe
File opened for modification	C:\Windows\CFP2W4F.exe	system.exe
File opened for modification	C:\Windows\XGM8N2Y\smss.exe	lsass.exe
File opened for modification	C:\Windows\XGM8N2Y\winlogon.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\HMV6R6P.exe	service.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\XGM8N2Y\regedit.cmd	smss.exe
File opened for modification	C:\Windows\XGM8N2Y\regedit.cmd	service.exe
File opened for modification	C:\Windows\lsass.exe	system.exe
File opened for modification	C:\Windows\XGM8N2Y\JYI1R8Y.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\cypreg.dll	service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
3024	service.exe
2356	smss.exe
2916	system.exe
1008	lsass.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 3024	2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	28
PID 2068 wrote to memory of 3024	2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	28
PID 2068 wrote to memory of 3024	2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	28
PID 2068 wrote to memory of 3024	2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	28
PID 2068 wrote to memory of 2356	2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	29
PID 2068 wrote to memory of 2356	2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	29
PID 2068 wrote to memory of 2356	2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	29
PID 2068 wrote to memory of 2356	2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	29
PID 2068 wrote to memory of 2916	2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	30
PID 2068 wrote to memory of 2916	2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	30
PID 2068 wrote to memory of 2916	2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	30
PID 2068 wrote to memory of 2916	2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	30
PID 2068 wrote to memory of 1008	2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	31
PID 2068 wrote to memory of 1008	2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	31
PID 2068 wrote to memory of 1008	2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	31
PID 2068 wrote to memory of 1008	2068	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	31

C:\Users\Admin\AppData\Local\Temp\533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
"C:\Users\Admin\AppData\Local\Temp\533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\XGM8N2Y\service.exe
  "C:\Windows\XGM8N2Y\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:3024
- C:\Windows\XGM8N2Y\smss.exe
  "C:\Windows\XGM8N2Y\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2356
- C:\Windows\XGM8N2Y\system.exe
  "C:\Windows\XGM8N2Y\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2916
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CFP2W4F.exe

Filesize
441KB

MD5
68c2b895de5f7edad9981faf4741a6a4

SHA1
a74dc8c29d2354e9c19bd1b22aaa9dc7bcec7838

SHA256
79c61df02cd477926fe1ed1088629fdbad8f93492847124c7606ef6f928612a7

SHA512
908f37a447d89ec080dd56776280440bb57160981a953db0e6dc569f1db936763db1f0304690e457922a3795ee9474d55a49a956b67a430361b5d4223e67df90

Download Submit
C:\Windows\CFP2W4F.exe

Filesize
441KB

MD5
065f686bc581c51abe9ec010e7bd8670

SHA1
ce772af705334fba10f0886396bfb44346503e69

SHA256
a03db27f5f0a27c542e5bf5dce65aa2e88438d426378e2c3a469177aafab4785

SHA512
0befd7b9860cc3c8eb296ca7a854b9053de417b06b6990f1fa427f79e3a3e76498fa92111cb21ba94d9c0faa637d8488c96d528afccb770787a0688dba6890b6

Download Submit
C:\Windows\CFP2W4F.exe

Filesize
441KB

MD5
2ec60364937f8ca78df9fd82346806e7

SHA1
30f2555e8394d4ccdfd8ba86817e0382a0f75e6e

SHA256
95ac75d7b87327164d527b5370f4f12ae57080e2973023ac81f46277302dfbce

SHA512
a645a47fb3db0a0bd0cde6ab750156755885896488985739dc7fd36ac99eb6e9ed551a5382495a0247ff6aea0a6cba80cd1f06a075bd614528699ed5289275a1

Download Submit
C:\Windows\HMV6R6P.exe

Filesize
441KB

MD5
5d06c03207a7c52801f4b286731ff73a

SHA1
d337646cbeaea3194263ef75dbed08d6401ab329

SHA256
16c1a715ecc4de76e587e25afdbe0393cad94f0e623737ee516635405903c3a7

SHA512
2d8445685ce83d2fce1afec6382b6e52108e7c6d71ff2948f6eebf34e6cd375e0fdf6dd00105364ec410505117e6e5c082888f058ed0b17643c39a58636f37c3

Download Submit
C:\Windows\SysWOW64\LGF7L3HHMV6R6P.exe

Filesize
441KB

MD5
8bc20c3033843137b51e295bec462d20

SHA1
b519e8086c70fc2f77be91b974ebd8907fe4f8a6

SHA256
f01838c1787eb1e353dd8d407e2673a46eccfb4aae8319cf8ecdda7ce8153947

SHA512
39db6bf9cc6e4749e0ee20165abcd0dc71ef5e1e3ecfd0b5c3c4c43af4c4c179c91ab3551198d68c7a29f9bfb410c74c4dd877fc4fe30488890bd4989aec906e

Download Submit
C:\Windows\SysWOW64\LGF7L3HHMV6R6P.exe

Filesize
441KB

MD5
89925c0c8c7442249785564331621b9f

SHA1
f2dd5dc7c91b0b98bd94651d0ba0b6ddcdba8557

SHA256
74bf6a9c2037066c6fea9f407c2e95c9e73b1cff357f00a652fca6d85184bc5b

SHA512
93800f02fe9ad5121237253dd44d04884114341c713c6669a08f13cd26686b5ea1eae6d2ac809def474eb45a9f38e837cfd9011cc26232713198a12512f99dc8

Download Submit
C:\Windows\SysWOW64\RQU2C1M.exe

Filesize
441KB

MD5
a90b764b8cdf9a5562b3a12330d23005

SHA1
c1e2e81bbb585692bc7eee4c4fbe720d59172507

SHA256
71e38a81f2c68998606c72cd0835a441fe36d1d7df384d73b2d737d66103e19d

SHA512
d08c1755fd703e21db971696aee7c7f63ae8ceb6c9d1adf30258404595916f8c168b630d2e0706281e7968716c78d3e9b365ef7bc8633a02979e34876d11edf4

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
001c97d7a1726167ca062d31f5bb8f9b

SHA1
563f84bef4078d4232d565b61a42a50fb6eb796b

SHA256
57b835333397602995cf118cf7e9232e78a0ff47805aa0f23f2dd75fd8d42f33

SHA512
74c4061d1a05612483e451f376230990d4c2298361ec47715513c6430b3f40e4c487b7e99fd9f4495d5895732615e1479128e9ce9761652d4a9f76bd396ebebc

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
127B

MD5
d8f74ac7da88d77ef9e98d761d1bfde8

SHA1
9d1e8b2fdca3f60e5e301849d3310b8ea5422cc1

SHA256
b0b869f8ce82de73585f5cc1556c30053650e8e309209155642bbc1ec27d6031

SHA512
000e0e19d8b686c998b4b43c0a5387c9730bacfc37c0da3c023087d7e677e59019cfdfb3243ad2bf2272d574118cb6ece8e688cf499e2a720c7279b5c5c7e56f

Download Submit
C:\Windows\XGM8N2Y\JYI1R8Y.exe

Filesize
441KB

MD5
f274f040a3bc66ed5a5cd39ea126fbfa

SHA1
72b8993c4707f939e46d8b9f72e605cd4d01dc2f

SHA256
bb41a637ee386422ecdaf98b0a957c6a559db149966176e4337c4083a478763b

SHA512
c0d70ac6d6b3c959e9b496244e5b4962e2fb9c1462ee221c8cb3d1b5738dac6ce90d31d3a38ef435f63fe3938a742626d307344b36460b669573eef64f9c0cfa

Download Submit
C:\Windows\XGM8N2Y\WCW2D0T.com

Filesize
441KB

MD5
32f89311fedcc24ac145e6e3171d37e1

SHA1
47900c137f464f5faee86b0759f26c78f13bfd56

SHA256
ecc6d910da338d62b84a188a9f584648ece21c59f5b83c8800812bc779d55edb

SHA512
1600e68b7f1176d4df31ad1e921ed64c9198a705fd16d127275937773dd762ad0ec379dee7ffd2b485c849d4cfcb93a74d4062cc83cbbf336ccee0c9f8be50f3

Download Submit
C:\Windows\XGM8N2Y\WCW2D0T.com

Filesize
441KB

MD5
9e9927647b96745b76c82017549c3c57

SHA1
114c9bc716d8b2f6733d62468a8535cada2329fa

SHA256
d500da759e713ebe41a9c57eb5b125c4a4c5a74aa330364c6af1e9e6be04d389

SHA512
5a3e6e5f85860d2d8bf52c0ef6c547885c1564d5d5884fd38644d897be9c2376ea3e73abd0ed31cb565c3b7230ea58c2c263c1b3e24aa1d2af69aaff09d067d1

Download Submit
C:\Windows\XGM8N2Y\WCW2D0T.com

Filesize
441KB

MD5
a270986778f715461ab44729b25c1fe5

SHA1
3a9abaccb1bac668af2c38553458698dcf8d9082

SHA256
6898b87c883e916482dccfab7d244c6a1c4a23fbe458eea84e4f4d70c8622059

SHA512
94c7db49ad7c033ef22de3e5ba86924e7b9988089ae1c4c61a11f3a0849ec86d3d327b4142b0db76ac8ef046262957f0aa20ba9f48731588bc42dbbf419967c5

Download Submit
C:\Windows\XGM8N2Y\regedit.cmd

Filesize
441KB

MD5
f4dd871eeae7aad8768c4feecfca961c

SHA1
d44674a7b0bdc9c5fa1594926d61e840b6c44675

SHA256
780b892334ba9384f6c8e63588153627951604826ced5c05b10fcf3add406d52

SHA512
dd42bf072495ac9393f5ea9c1329a05643c587729c0183f473fb9cfeb1e9613ec07181fd62a67ee1b9341bdaaeeb5a97ac8180aaeb84446a9ac5315aac10013b

Download Submit
C:\Windows\XGM8N2Y\service.exe

Filesize
441KB

MD5
e407edd2dedf4c3d3b728d6742e2f5b9

SHA1
e22ae7804a2a164467e1bd405aa1c3b1dbeb6066

SHA256
f1441f8870165064144b78692abde3b7fc658ef7ea202a8a6c443420af58ac36

SHA512
366e7222ee4e00f0bf837e4dd9e48ca3e6c36370740e7656660bb6dfd05ed68cd35e0f45e6815c57362912fbf7e88ec5f323c336593269825a82a345d2d7aa12

Download Submit
C:\Windows\XGM8N2Y\smss.exe

Filesize
441KB

MD5
f9728d0cd5dc0421632815e62a5ff9b0

SHA1
e29174fa054ce9feb6dd3d2cb92bc75661e3d41a

SHA256
f4f4b115d59fb682c98ecb1352962e916649afd630be5b74a9bb364c901abee2

SHA512
00152cae002a146391c63620f35fab3566575fca01d0d65d0c0e9bb0fbb01baad1e955922162863615e5ea4ed33d89511021911bb23543abf635155159ef26ca

Download Submit
C:\Windows\XGM8N2Y\system.exe

Filesize
441KB

MD5
a97c121d0e4c8646c1aef4091586dad2

SHA1
5df8de202bdbb47d645bfc2c9a87a6c165e2c0c0

SHA256
458b25fdec093b6221026dc9fe6357bdd23a0b1e13c29d7d3ace57615058654b

SHA512
0cafc1b009472a8c925c8cc35c4247fb32673a2c3fdfd4440056e1cfd716e6f636edf7f3cce1a755ac32896583f6d2bbe69a67c58233d638366d3ad01ec30faf

Download Submit
C:\Windows\XGM8N2Y\winlogon.exe

Filesize
441KB

MD5
768209e280b35a25332af41b89df95e5

SHA1
b3a2b2e445c2045db20c3b920c72f9fa586e5dcd

SHA256
10b2f89604ae2a5567751dd2f1e7efa39a96568b9cb2282f314dee9be9aab958

SHA512
19b95820c82f9b40a9255ba637895ed40b764225fe328b5de15ec23e0e8dcbedcf0a95e47de8c94dcf82aeb7423e0e1d821a45954bb91eabcab99ca30852b763

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
c2c497aaa61ee4a3f14827917511263c

SHA1
9f3979115a87fb02d779184885858ab5d2d4ee9b

SHA256
07928f5a5fd5b3c5f095358af8be5899fdc973832ee5c9650e4b4b168c5dae3e

SHA512
04606518e8e0d2c132abc8a7d513cfc9d5a9c514f1d04a540f559e46440048d080ba8c773c32711146d0039e6e3df4d543376290c13e576e13471a371a1bbe22

Download Submit
C:\Windows\lsass.exe

Filesize
441KB

MD5
dbdebde4d05a2aa75727042312913c1f

SHA1
4c2d9ab0ad9eee9298c46b752400c16012aef919

SHA256
472283310a90a2a299fd5498e9e2f91e75bf6d126fc1a27d749b9007aa4873bd

SHA512
80333c6e847f846edea846db703915934cfcb3eb6e2b4cb1f4f5123bc0b278488071f5d9c8230c59553a0a608b878c9daac4cffa9339f8eb10a52b3338d8f5ac

Download Submit
C:\Windows\lsass.exe

Filesize
441KB

MD5
eae9fb825be018b890ad077e46a73260

SHA1
74cde7b2e717217a6ad13f984113883fe6faf7d8

SHA256
f38c54be0d5c82e340a8b354d104eb1559a9447bc15f228651a8c8b0abcd41f6

SHA512
63c127046ca06bd1e929dd3594f5a4fe611fd88b42c0f5449f8d16c1e3df7d82638c9449e689bfb7d3918e9b44f03a1b338ac261767422f50760845e88262173

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.3MB

MD5
2f593c451e4243ce08634d5ccb6e8f1d

SHA1
1f72faf6e085aba90482f3edbdec7eed997370b9

SHA256
5c30df5afbcb16e2fcd4f4ddf4bd2573a3f79ca69c1b3cefad83552f725bc52a

SHA512
b1c4a5d642bd59271e7d42dae4116af2705ba4af60d7d456da73d78a10e0a571468e0eb618712993b12ed15d4746bf0d84b1ee49c468b964e28b204d2a2c77fe

Download Submit
memory/1008-188-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1008-160-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2068-53-0x0000000002990000-0x00000000029E2000-memory.dmp

Filesize
328KB

Download
memory/2068-66-0x0000000002990000-0x00000000029E2000-memory.dmp

Filesize
328KB

Download
memory/2068-128-0x0000000002990000-0x00000000029E2000-memory.dmp

Filesize
328KB

Download
memory/2068-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2068-100-0x0000000002990000-0x00000000029E2000-memory.dmp

Filesize
328KB

Download
memory/2068-158-0x0000000003EA0000-0x0000000003EF2000-memory.dmp

Filesize
328KB

Download
memory/2068-156-0x0000000003EA0000-0x0000000003EF2000-memory.dmp

Filesize
328KB

Download
memory/2068-161-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2068-54-0x0000000002990000-0x00000000029E2000-memory.dmp

Filesize
328KB

Download
memory/2356-67-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2356-186-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2916-187-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2916-129-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3024-55-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3024-185-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads