533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
Size

441KB
MD5

2d269fca9378a8406f64786c56e06091
SHA1

fe662ac67fb814c6d9147cfec9bde7e601e2e341
SHA256

533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30
SHA512

2dbb7d75905eae9c878b9a82963b64533a66f85decbd396fb5ddee1de1814a918393d7ffb25b14675a75bb27c92a7718f42c775f98e9a890bd0da4af39469b64
SSDEEP

6144:4eHwXUljWrLJKuKnGML5NjcxFSsQLH5At:4yMU0g5NjaFSsPt

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\DJP0Q3E\\MFL2U0E.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\DJP0Q3E\\MFL2U0E.exe\""	lsass.exe

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\DJP0Q3E\\regedit.cmd"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\DJP0Q3E\\regedit.cmd"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe

Executes dropped EXE 5 IoCs

pid	Process
3856	service.exe
4648	smss.exe
1540	system.exe
3780	winlogon.exe
4192	lsass.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sJP3D5I0 = "C:\\Windows\\system32\\OJI8P4KLPY7U7T.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0U0EPY = "C:\\Windows\\GIS3D5I.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sJP3D5I0 = "C:\\Windows\\system32\\OJI8P4KLPY7U7T.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0U0EPY = "C:\\Windows\\GIS3D5I.exe"	lsass.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\V:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\Y:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\U:	service.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\HVX4D5N\OJI8P4K.cmd	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\VTX4F2Q.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\HVX4D5N	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\HVX4D5N\OJI8P4K.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\VTX4F2Q.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\VTX4F2Q.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\HVX4D5N\OJI8P4K.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\HVX4D5N\OJI8P4K.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\VTX4F2Q.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\HVX4D5N	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\HVX4D5N	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\HVX4D5N	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\SysWOW64\HVX4D5N	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\SysWOW64\HVX4D5N	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\HVX4D5N\OJI8P4K.cmd	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\HVX4D5N\OJI8P4K.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\VTX4F2Q.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\VTX4F2Q.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\DJP0Q3E\service.exe	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\DJP0Q3E\system.exe	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\DJP0Q3E\system.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\DJP0Q3E\system.exe	system.exe
File opened for modification	C:\Windows\cypreg.dll	smss.exe
File opened for modification	C:\Windows\LPY7U7T.exe	system.exe
File opened for modification	C:\Windows\GIS3D5I.exe	service.exe
File opened for modification	C:\Windows\DJP0Q3E\CFC4G1W.com	service.exe
File opened for modification	C:\Windows\DJP0Q3E	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\LPY7U7T.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\DJP0Q3E	system.exe
File opened for modification	C:\Windows\DJP0Q3E\MFL2U0E.exe	winlogon.exe
File opened for modification	C:\Windows\DJP0Q3E\MFL2U0E.exe	smss.exe
File opened for modification	C:\Windows\DJP0Q3E\CFC4G1W.com	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\DJP0Q3E\service.exe	winlogon.exe
File opened for modification	C:\Windows\DJP0Q3E\winlogon.exe	smss.exe
File opened for modification	C:\Windows\DJP0Q3E\MFL2U0E.exe	system.exe
File opened for modification	C:\Windows\DJP0Q3E\smss.exe	service.exe
File opened for modification	C:\Windows\lsass.exe	lsass.exe
File opened for modification	C:\Windows\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\DJP0Q3E\system.exe	smss.exe
File opened for modification	C:\Windows\DJP0Q3E\smss.exe	winlogon.exe
File opened for modification	C:\Windows\LPY7U7T.exe	smss.exe
File opened for modification	C:\Windows\GIS3D5I.exe	system.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\DJP0Q3E\MFL2U0E.exe	lsass.exe
File opened for modification	C:\Windows\DJP0Q3E\system.exe	service.exe
File opened for modification	C:\Windows\LPY7U7T.exe	service.exe
File opened for modification	C:\Windows\DJP0Q3E\MFL2U0E.exe	service.exe
File opened for modification	C:\Windows\lsass.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\DJP0Q3E\system.exe	winlogon.exe
File opened for modification	C:\Windows\lsass.exe	smss.exe
File opened for modification	C:\Windows\cypreg.dll	system.exe
File opened for modification	C:\Windows\DJP0Q3E\regedit.cmd	service.exe
File opened for modification	C:\Windows\lsass.exe	system.exe
File opened for modification	C:\Windows\LPY7U7T.exe	lsass.exe
File opened for modification	C:\Windows\lsass.exe	service.exe
File opened for modification	C:\Windows\DJP0Q3E\smss.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\GIS3D5I.exe	smss.exe
File opened for modification	C:\Windows\DJP0Q3E\regedit.cmd	system.exe
File opened for modification	C:\Windows\cypreg.dll	lsass.exe
File opened for modification	C:\Windows\cypreg.dll	service.exe
File opened for modification	C:\Windows\DJP0Q3E\service.exe	service.exe
File opened for modification	C:\Windows\DJP0Q3E\winlogon.exe	service.exe
File opened for modification	C:\Windows\64enc.en	system.exe
File opened for modification	C:\Windows\DJP0Q3E\service.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\DJP0Q3E\service.exe	system.exe
File opened for modification	C:\Windows\DJP0Q3E\smss.exe	system.exe
File opened for modification	C:\Windows\DJP0Q3E\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\DJP0Q3E\regedit.cmd	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\DJP0Q3E	smss.exe
File opened for modification	C:\Windows\DJP0Q3E\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\DJP0Q3E\smss.exe	smss.exe
File opened for modification	C:\Windows\DJP0Q3E\regedit.cmd	smss.exe
File opened for modification	C:\Windows\DJP0Q3E\MFL2U0E.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
File opened for modification	C:\Windows\DJP0Q3E\regedit.cmd	winlogon.exe
File opened for modification	C:\Windows\DJP0Q3E	lsass.exe
File opened for modification	C:\Windows\DJP0Q3E\smss.exe	lsass.exe
File opened for modification	C:\Windows\DJP0Q3E	service.exe
File opened for modification	C:\Windows\DJP0Q3E\CFC4G1W.com	system.exe
File opened for modification	C:\Windows\DJP0Q3E\winlogon.exe	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2268	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
3856	service.exe
3780	winlogon.exe
4648	smss.exe
1540	system.exe
4192	lsass.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 3856	2268	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	84
PID 2268 wrote to memory of 3856	2268	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	84
PID 2268 wrote to memory of 3856	2268	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	84
PID 2268 wrote to memory of 4648	2268	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	85
PID 2268 wrote to memory of 4648	2268	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	85
PID 2268 wrote to memory of 4648	2268	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	85
PID 2268 wrote to memory of 1540	2268	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	86
PID 2268 wrote to memory of 1540	2268	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	86
PID 2268 wrote to memory of 1540	2268	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	86
PID 2268 wrote to memory of 3780	2268	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	87
PID 2268 wrote to memory of 3780	2268	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	87
PID 2268 wrote to memory of 3780	2268	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	87
PID 2268 wrote to memory of 4192	2268	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	88
PID 2268 wrote to memory of 4192	2268	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	88
PID 2268 wrote to memory of 4192	2268	533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe	88

C:\Users\Admin\AppData\Local\Temp\533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
"C:\Users\Admin\AppData\Local\Temp\533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\DJP0Q3E\service.exe
  "C:\Windows\DJP0Q3E\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:3856
- C:\Windows\DJP0Q3E\smss.exe
  "C:\Windows\DJP0Q3E\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:4648
- C:\Windows\DJP0Q3E\system.exe
  "C:\Windows\DJP0Q3E\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1540
- C:\Windows\DJP0Q3E\winlogon.exe
  "C:\Windows\DJP0Q3E\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:3780
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DJP0Q3E\CFC4G1W.com

Filesize
441KB

MD5
e407edd2dedf4c3d3b728d6742e2f5b9

SHA1
e22ae7804a2a164467e1bd405aa1c3b1dbeb6066

SHA256
f1441f8870165064144b78692abde3b7fc658ef7ea202a8a6c443420af58ac36

SHA512
366e7222ee4e00f0bf837e4dd9e48ca3e6c36370740e7656660bb6dfd05ed68cd35e0f45e6815c57362912fbf7e88ec5f323c336593269825a82a345d2d7aa12

Download Submit
C:\Windows\DJP0Q3E\MFL2U0E.exe

Filesize
441KB

MD5
eae9fb825be018b890ad077e46a73260

SHA1
74cde7b2e717217a6ad13f984113883fe6faf7d8

SHA256
f38c54be0d5c82e340a8b354d104eb1559a9447bc15f228651a8c8b0abcd41f6

SHA512
63c127046ca06bd1e929dd3594f5a4fe611fd88b42c0f5449f8d16c1e3df7d82638c9449e689bfb7d3918e9b44f03a1b338ac261767422f50760845e88262173

Download Submit
C:\Windows\DJP0Q3E\MFL2U0E.exe

Filesize
441KB

MD5
f4dd871eeae7aad8768c4feecfca961c

SHA1
d44674a7b0bdc9c5fa1594926d61e840b6c44675

SHA256
780b892334ba9384f6c8e63588153627951604826ced5c05b10fcf3add406d52

SHA512
dd42bf072495ac9393f5ea9c1329a05643c587729c0183f473fb9cfeb1e9613ec07181fd62a67ee1b9341bdaaeeb5a97ac8180aaeb84446a9ac5315aac10013b

Download Submit
C:\Windows\DJP0Q3E\MFL2U0E.exe

Filesize
441KB

MD5
768209e280b35a25332af41b89df95e5

SHA1
b3a2b2e445c2045db20c3b920c72f9fa586e5dcd

SHA256
10b2f89604ae2a5567751dd2f1e7efa39a96568b9cb2282f314dee9be9aab958

SHA512
19b95820c82f9b40a9255ba637895ed40b764225fe328b5de15ec23e0e8dcbedcf0a95e47de8c94dcf82aeb7423e0e1d821a45954bb91eabcab99ca30852b763

Download Submit
C:\Windows\DJP0Q3E\regedit.cmd

Filesize
441KB

MD5
a97c121d0e4c8646c1aef4091586dad2

SHA1
5df8de202bdbb47d645bfc2c9a87a6c165e2c0c0

SHA256
458b25fdec093b6221026dc9fe6357bdd23a0b1e13c29d7d3ace57615058654b

SHA512
0cafc1b009472a8c925c8cc35c4247fb32673a2c3fdfd4440056e1cfd716e6f636edf7f3cce1a755ac32896583f6d2bbe69a67c58233d638366d3ad01ec30faf

Download Submit
C:\Windows\DJP0Q3E\regedit.cmd

Filesize
441KB

MD5
8b81a30d1e16b7ea694fda1bf5d4a1c7

SHA1
99eac2e0aa7b0d3b96efe6e9a313681a9e4f3abc

SHA256
839b4774dd7baca19a6274102d6d14adfc512e0b5c8fc1e633932170486a8390

SHA512
0bd69d491930ab414615accb876acab74b60663625ef85c720a83c6d5e074d24ce9c66a4bae63170858b4e945277e327d0c835fdea772f344c402ddc81d72c67

Download Submit
C:\Windows\DJP0Q3E\service.exe

Filesize
441KB

MD5
89925c0c8c7442249785564331621b9f

SHA1
f2dd5dc7c91b0b98bd94651d0ba0b6ddcdba8557

SHA256
74bf6a9c2037066c6fea9f407c2e95c9e73b1cff357f00a652fca6d85184bc5b

SHA512
93800f02fe9ad5121237253dd44d04884114341c713c6669a08f13cd26686b5ea1eae6d2ac809def474eb45a9f38e837cfd9011cc26232713198a12512f99dc8

Download Submit
C:\Windows\DJP0Q3E\smss.exe

Filesize
441KB

MD5
a90b764b8cdf9a5562b3a12330d23005

SHA1
c1e2e81bbb585692bc7eee4c4fbe720d59172507

SHA256
71e38a81f2c68998606c72cd0835a441fe36d1d7df384d73b2d737d66103e19d

SHA512
d08c1755fd703e21db971696aee7c7f63ae8ceb6c9d1adf30258404595916f8c168b630d2e0706281e7968716c78d3e9b365ef7bc8633a02979e34876d11edf4

Download Submit
C:\Windows\DJP0Q3E\system.exe

Filesize
441KB

MD5
a9956a9f636b9969178f150bd362c78c

SHA1
735e81acd2d5a3c78b64770818c4f69edf9e9880

SHA256
77ba265db00abcf19d711936d10b7c3d35174acfe9e16e577b9f2086c78b4fc2

SHA512
4fd3298dd82ddf78278b9e1f8ddfd5afd0aefd40e5a147d75613c4f97f91b26b8991535d7aa05a302fcd775dc4f31619d61023fc805e8d84cf7dd6e62eaae46f

Download Submit
C:\Windows\DJP0Q3E\winlogon.exe

Filesize
441KB

MD5
71e5b6621d2323137fcf1ddb97c51bd7

SHA1
64f2887614790792c8eee5f9e5d826d79b2a4d7b

SHA256
d6e203ccc2f4aa150c161ff05155a89b1383ee1e4b63816c2159c95e4113ccdf

SHA512
a218239b64267443a1a200ad7ca4544421e5e40da2709d42d3fdb521bbf836090be6196b218457b4d8927ce71bf5fbb36c9b16e256ed42568fba4512198d0201

Download Submit
C:\Windows\GIS3D5I.exe

Filesize
441KB

MD5
065f686bc581c51abe9ec010e7bd8670

SHA1
ce772af705334fba10f0886396bfb44346503e69

SHA256
a03db27f5f0a27c542e5bf5dce65aa2e88438d426378e2c3a469177aafab4785

SHA512
0befd7b9860cc3c8eb296ca7a854b9053de417b06b6990f1fa427f79e3a3e76498fa92111cb21ba94d9c0faa637d8488c96d528afccb770787a0688dba6890b6

Download Submit
C:\Windows\GIS3D5I.exe

Filesize
441KB

MD5
0822ad287a1fc4c8de97d3b45af28d87

SHA1
0bb6dbc67fce0051a486427334e96167f89443e4

SHA256
930098f4542931350e1cf078674612dba4a2484ef73ad8a5e8626b6788677e27

SHA512
1e44e8f7187802f546c7224cb46ba3e5d57b97d880b18967429f93ecb2cd77b0dec6c9032b0425131adfa0161c932c0955b6092d709e6d4d77c24c0d631ea8a3

Download Submit
C:\Windows\LPY7U7T.exe

Filesize
441KB

MD5
32f89311fedcc24ac145e6e3171d37e1

SHA1
47900c137f464f5faee86b0759f26c78f13bfd56

SHA256
ecc6d910da338d62b84a188a9f584648ece21c59f5b83c8800812bc779d55edb

SHA512
1600e68b7f1176d4df31ad1e921ed64c9198a705fd16d127275937773dd762ad0ec379dee7ffd2b485c849d4cfcb93a74d4062cc83cbbf336ccee0c9f8be50f3

Download Submit
C:\Windows\SysWOW64\HVX4D5N\OJI8P4K.cmd

Filesize
441KB

MD5
2d269fca9378a8406f64786c56e06091

SHA1
fe662ac67fb814c6d9147cfec9bde7e601e2e341

SHA256
533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30

SHA512
2dbb7d75905eae9c878b9a82963b64533a66f85decbd396fb5ddee1de1814a918393d7ffb25b14675a75bb27c92a7718f42c775f98e9a890bd0da4af39469b64

Download Submit
C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe

Filesize
441KB

MD5
f9728d0cd5dc0421632815e62a5ff9b0

SHA1
e29174fa054ce9feb6dd3d2cb92bc75661e3d41a

SHA256
f4f4b115d59fb682c98ecb1352962e916649afd630be5b74a9bb364c901abee2

SHA512
00152cae002a146391c63620f35fab3566575fca01d0d65d0c0e9bb0fbb01baad1e955922162863615e5ea4ed33d89511021911bb23543abf635155159ef26ca

Download Submit
C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe

Filesize
441KB

MD5
f274f040a3bc66ed5a5cd39ea126fbfa

SHA1
72b8993c4707f939e46d8b9f72e605cd4d01dc2f

SHA256
bb41a637ee386422ecdaf98b0a957c6a559db149966176e4337c4083a478763b

SHA512
c0d70ac6d6b3c959e9b496244e5b4962e2fb9c1462ee221c8cb3d1b5738dac6ce90d31d3a38ef435f63fe3938a742626d307344b36460b669573eef64f9c0cfa

Download Submit
C:\Windows\SysWOW64\VTX4F2Q.exe

Filesize
441KB

MD5
a270986778f715461ab44729b25c1fe5

SHA1
3a9abaccb1bac668af2c38553458698dcf8d9082

SHA256
6898b87c883e916482dccfab7d244c6a1c4a23fbe458eea84e4f4d70c8622059

SHA512
94c7db49ad7c033ef22de3e5ba86924e7b9988089ae1c4c61a11f3a0849ec86d3d327b4142b0db76ac8ef046262957f0aa20ba9f48731588bc42dbbf419967c5

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
fe219732c64fb99844eeea8a99110d85

SHA1
d435a28b2db26da180f2b23b051a1d4f9b968e43

SHA256
6631d7359acc2575b75d6811c918bc209f269e89700eb8220f9936fa05c1cc7c

SHA512
0ee7be5d8b4a45d91101807e687188a635d626703262487d60743334a68fce94275dd471a5fb79c96af87f0084b59adb1ce8cdb3d430da46716ef9921a6f09e9

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
45c87e723ef890963a244048007fafab

SHA1
724b8494460f10a8be3773aca69a904b1f9f6054

SHA256
1112c19bd06e331ad2a4ce38c0742528f9b92b6f1c7a757d38f32a83e26cf58e

SHA512
2fc969800f75b0ccd27a2c7817423ed81bd56e5eff03329ee485a5ca413c8d934614c32cf9b67b2b6d1e6312f0ae2030577987b7112945c7194efa3969376727

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
a122aeb21d8fea84eecb80ce782daf51

SHA1
cd2c45a895c7e365606777a8dacaea7f01955f44

SHA256
7abb33f7c8b31a0d47e0633d982be7bb3c3cf4182b6f9c44f20571117d919a96

SHA512
a34c9871782f57132b8f9ef1fc26c8fae561e052ccbd2fea753598a298c8dad4bfb07f379bc6f3a6729251289e6fa76d30b5f1855b08b504b781a1068b09a063

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
ec5702730c23e0a018294594ab43b089

SHA1
01fb205e1c0945f20727daf32e5d96a8143dff22

SHA256
6e7a81af9546674515074881e6075070f07f38340d7847b1c45d84a1e7137acd

SHA512
617224e82df6c6b88364194b787436d1cf27d918ad951bd58034955d07e1ed7842bc423ac900a96703f7845cf0c8303c3ef9ece2973851999ddd9f90ce4cb340

Download Submit
C:\Windows\lsass.exe

Filesize
441KB

MD5
858964974b18c1ff191f9c80953f8c2a

SHA1
b0ea3c9c043221be12f8362d1ee57cd676530adf

SHA256
7ddd5fe947f91da562f06c960d36a98f64c6b426efe6bc40e3fed236e8360281

SHA512
63ef28f21bfabff75b3bc37b2240808399373326d37270df018e8fa760229a22c42e7431822e8257009c8e260f4e2a1365cc6f54782079ef05b8c1dcfc69244b

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
c14d86b2aa572ba9973828133ffd9d83

SHA1
db863f0efc33b72522b228f25835826fad532d32

SHA256
86a9eb67eca6d722a633e967a25866b874560ba49a49d024e9584f3db5a1a14e

SHA512
9c0d57b0a6be0d6c4f81268f75f4032cf81e6287a781fdc7b0050d1ed31c1456d6650186b0e3bf1204d47c92b358b59707f260e7042837c78a8777692fd67d34

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
c6e72c1e418663017ccfea1bedf7eee7

SHA1
797a84957ebd22647d8e7ac62a81061496ea2ef2

SHA256
d6f15036a1fd7489d7c2a04dcb2be2f44dd9a0e752e5206698f7b462970f2e9a

SHA512
3f693de5fa31421e9a5c4ecf9182ac654a388a4934bc58b9e5e509419ea0e371d458ed8fe838f742003b3a250347e92ef9c23eac32f2cdca46fe494ff771191c

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
8d205ffd6d88ed41b19caa91a7aa994c

SHA1
5ee0cc6ef7ab500ffb99e42323fe5074b52cce91

SHA256
7500ef088d9a7f141d896bdcc21fc38675dc4763a301d657107ca9622f74ca99

SHA512
8462003ca9aead0737789bdd8a769608e6217e80c82264b439a1d649bc185880220959f9c4b2578cd0467fbca9409bfaeedaf1ab13e70e3a545eb11b239bb68f

Download Submit
memory/1540-73-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1540-268-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2268-205-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2268-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3780-82-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3780-269-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3856-67-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3856-266-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4192-235-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4192-270-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4648-68-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4648-267-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads