Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05/07/2024, 21:42
Static task
static1
Behavioral task
behavioral1
Sample
533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
Resource
win10v2004-20240704-en
General
-
Target
533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe
-
Size
441KB
-
MD5
2d269fca9378a8406f64786c56e06091
-
SHA1
fe662ac67fb814c6d9147cfec9bde7e601e2e341
-
SHA256
533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30
-
SHA512
2dbb7d75905eae9c878b9a82963b64533a66f85decbd396fb5ddee1de1814a918393d7ffb25b14675a75bb27c92a7718f42c775f98e9a890bd0da4af39469b64
-
SSDEEP
6144:4eHwXUljWrLJKuKnGML5NjcxFSsQLH5At:4yMU0g5NjaFSsPt
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\DJP0Q3E\\MFL2U0E.exe\"" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\DJP0Q3E\\MFL2U0E.exe\"" lsass.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system.exe Set value (int) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system.exe Set value (int) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe -
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\DJP0Q3E\\regedit.cmd" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\DJP0Q3E\\regedit.cmd" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" lsass.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe -
Executes dropped EXE 5 IoCs
pid Process 3856 service.exe 4648 smss.exe 1540 system.exe 3780 winlogon.exe 4192 lsass.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" lsass.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sJP3D5I0 = "C:\\Windows\\system32\\OJI8P4KLPY7U7T.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0U0EPY = "C:\\Windows\\GIS3D5I.exe" system.exe Set value (str) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sJP3D5I0 = "C:\\Windows\\system32\\OJI8P4KLPY7U7T.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0U0EPY = "C:\\Windows\\GIS3D5I.exe" lsass.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: service.exe File opened (read-only) \??\L: service.exe File opened (read-only) \??\O: service.exe File opened (read-only) \??\T: service.exe File opened (read-only) \??\Z: service.exe File opened (read-only) \??\N: service.exe File opened (read-only) \??\S: service.exe File opened (read-only) \??\V: service.exe File opened (read-only) \??\X: service.exe File opened (read-only) \??\E: service.exe File opened (read-only) \??\I: service.exe File opened (read-only) \??\M: service.exe File opened (read-only) \??\P: service.exe File opened (read-only) \??\Q: service.exe File opened (read-only) \??\R: service.exe File opened (read-only) \??\W: service.exe File opened (read-only) \??\Y: service.exe File opened (read-only) \??\G: service.exe File opened (read-only) \??\H: service.exe File opened (read-only) \??\K: service.exe File opened (read-only) \??\U: service.exe -
Drops file in System32 directory 42 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\HVX4D5N\OJI8P4K.cmd 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\systear.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe lsass.exe File opened for modification C:\Windows\SysWOW64\systear.dll 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe File opened for modification C:\Windows\SysWOW64\systear.dll system.exe File opened for modification C:\Windows\SysWOW64\VTX4F2Q.exe lsass.exe File opened for modification C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe service.exe File opened for modification C:\Windows\SysWOW64\HVX4D5N smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\HVX4D5N\OJI8P4K.cmd smss.exe File opened for modification C:\Windows\SysWOW64\regedit.exe service.exe File opened for modification C:\Windows\SysWOW64\VTX4F2Q.exe service.exe File opened for modification C:\Windows\SysWOW64\systear.dll service.exe File opened for modification C:\Windows\SysWOW64\VTX4F2Q.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\HVX4D5N\OJI8P4K.cmd system.exe File opened for modification C:\Windows\SysWOW64\HVX4D5N\OJI8P4K.cmd service.exe File opened for modification C:\Windows\SysWOW64\VTX4F2Q.exe system.exe File opened for modification C:\Windows\SysWOW64\HVX4D5N lsass.exe File opened for modification C:\Windows\SysWOW64\regedit.exe lsass.exe File opened for modification C:\Windows\SysWOW64\HVX4D5N service.exe File opened for modification C:\Windows\SysWOW64\systear.dll lsass.exe File opened for modification C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe smss.exe File opened for modification C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe system.exe File opened for modification C:\Windows\SysWOW64\HVX4D5N 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe File opened for modification C:\Windows\SysWOW64\regedit.exe 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe File opened for modification C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe File opened for modification C:\Windows\SysWOW64\HVX4D5N system.exe File opened for modification C:\Windows\SysWOW64\regedit.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\OJI8P4KLPY7U7T.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe File opened for modification C:\Windows\SysWOW64\HVX4D5N winlogon.exe File opened for modification C:\Windows\SysWOW64\regedit.exe smss.exe File opened for modification C:\Windows\SysWOW64\HVX4D5N\OJI8P4K.cmd winlogon.exe File opened for modification C:\Windows\SysWOW64\systear.dll smss.exe File opened for modification C:\Windows\SysWOW64\HVX4D5N\OJI8P4K.cmd lsass.exe File opened for modification C:\Windows\SysWOW64\VTX4F2Q.exe 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system.exe File opened for modification C:\Windows\SysWOW64\regedit.exe system.exe File opened for modification C:\Windows\SysWOW64\VTX4F2Q.exe smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll service.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\system\msvbvm60.dll system.exe File opened for modification C:\Windows\DJP0Q3E\service.exe lsass.exe File opened for modification C:\Windows\system\msvbvm60.dll lsass.exe File opened for modification C:\Windows\DJP0Q3E\system.exe lsass.exe File opened for modification C:\Windows\system\msvbvm60.dll service.exe File opened for modification C:\Windows\DJP0Q3E\system.exe 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe File opened for modification C:\Windows\DJP0Q3E\system.exe system.exe File opened for modification C:\Windows\cypreg.dll smss.exe File opened for modification C:\Windows\LPY7U7T.exe system.exe File opened for modification C:\Windows\GIS3D5I.exe service.exe File opened for modification C:\Windows\DJP0Q3E\CFC4G1W.com service.exe File opened for modification C:\Windows\DJP0Q3E 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe File opened for modification C:\Windows\LPY7U7T.exe 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe File opened for modification C:\Windows\DJP0Q3E system.exe File opened for modification C:\Windows\DJP0Q3E\MFL2U0E.exe winlogon.exe File opened for modification C:\Windows\DJP0Q3E\MFL2U0E.exe smss.exe File opened for modification C:\Windows\DJP0Q3E\CFC4G1W.com 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe File opened for modification C:\Windows\DJP0Q3E\service.exe winlogon.exe File opened for modification C:\Windows\DJP0Q3E\winlogon.exe smss.exe File opened for modification C:\Windows\DJP0Q3E\MFL2U0E.exe system.exe File opened for modification C:\Windows\DJP0Q3E\smss.exe service.exe File opened for modification C:\Windows\lsass.exe lsass.exe File opened for modification C:\Windows\lsass.exe winlogon.exe File opened for modification C:\Windows\DJP0Q3E\system.exe smss.exe File opened for modification C:\Windows\DJP0Q3E\smss.exe winlogon.exe File opened for modification C:\Windows\LPY7U7T.exe smss.exe File opened for modification C:\Windows\GIS3D5I.exe system.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\DJP0Q3E\MFL2U0E.exe lsass.exe File opened for modification C:\Windows\DJP0Q3E\system.exe service.exe File opened for modification C:\Windows\LPY7U7T.exe service.exe File opened for modification C:\Windows\DJP0Q3E\MFL2U0E.exe service.exe File opened for modification C:\Windows\lsass.exe 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe File opened for modification C:\Windows\DJP0Q3E\system.exe winlogon.exe File opened for modification C:\Windows\lsass.exe smss.exe File opened for modification C:\Windows\cypreg.dll system.exe File opened for modification C:\Windows\DJP0Q3E\regedit.cmd service.exe File opened for modification C:\Windows\lsass.exe system.exe File opened for modification C:\Windows\LPY7U7T.exe lsass.exe File opened for modification C:\Windows\lsass.exe service.exe File opened for modification C:\Windows\DJP0Q3E\smss.exe 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe File opened for modification C:\Windows\GIS3D5I.exe smss.exe File opened for modification C:\Windows\DJP0Q3E\regedit.cmd system.exe File opened for modification C:\Windows\cypreg.dll lsass.exe File opened for modification C:\Windows\cypreg.dll service.exe File opened for modification C:\Windows\DJP0Q3E\service.exe service.exe File opened for modification C:\Windows\DJP0Q3E\winlogon.exe service.exe File opened for modification C:\Windows\64enc.en system.exe File opened for modification C:\Windows\DJP0Q3E\service.exe 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe File opened for modification C:\Windows\DJP0Q3E\service.exe system.exe File opened for modification C:\Windows\DJP0Q3E\smss.exe system.exe File opened for modification C:\Windows\DJP0Q3E\winlogon.exe lsass.exe File opened for modification C:\Windows\DJP0Q3E\regedit.cmd 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe File opened for modification C:\Windows\DJP0Q3E smss.exe File opened for modification C:\Windows\DJP0Q3E\winlogon.exe winlogon.exe File opened for modification C:\Windows\DJP0Q3E\smss.exe smss.exe File opened for modification C:\Windows\DJP0Q3E\regedit.cmd smss.exe File opened for modification C:\Windows\DJP0Q3E\MFL2U0E.exe 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe File opened for modification C:\Windows\DJP0Q3E\regedit.cmd winlogon.exe File opened for modification C:\Windows\DJP0Q3E lsass.exe File opened for modification C:\Windows\DJP0Q3E\smss.exe lsass.exe File opened for modification C:\Windows\DJP0Q3E service.exe File opened for modification C:\Windows\DJP0Q3E\CFC4G1W.com system.exe File opened for modification C:\Windows\DJP0Q3E\winlogon.exe 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2268 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe 3856 service.exe 3780 winlogon.exe 4648 smss.exe 1540 system.exe 4192 lsass.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2268 wrote to memory of 3856 2268 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe 84 PID 2268 wrote to memory of 3856 2268 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe 84 PID 2268 wrote to memory of 3856 2268 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe 84 PID 2268 wrote to memory of 4648 2268 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe 85 PID 2268 wrote to memory of 4648 2268 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe 85 PID 2268 wrote to memory of 4648 2268 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe 85 PID 2268 wrote to memory of 1540 2268 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe 86 PID 2268 wrote to memory of 1540 2268 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe 86 PID 2268 wrote to memory of 1540 2268 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe 86 PID 2268 wrote to memory of 3780 2268 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe 87 PID 2268 wrote to memory of 3780 2268 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe 87 PID 2268 wrote to memory of 3780 2268 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe 87 PID 2268 wrote to memory of 4192 2268 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe 88 PID 2268 wrote to memory of 4192 2268 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe 88 PID 2268 wrote to memory of 4192 2268 533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe"C:\Users\Admin\AppData\Local\Temp\533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\DJP0Q3E\service.exe"C:\Windows\DJP0Q3E\service.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3856
-
-
C:\Windows\DJP0Q3E\smss.exe"C:\Windows\DJP0Q3E\smss.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4648
-
-
C:\Windows\DJP0Q3E\system.exe"C:\Windows\DJP0Q3E\system.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1540
-
-
C:\Windows\DJP0Q3E\winlogon.exe"C:\Windows\DJP0Q3E\winlogon.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3780
-
-
C:\Windows\lsass.exe"C:\Windows\lsass.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4192
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
441KB
MD5e407edd2dedf4c3d3b728d6742e2f5b9
SHA1e22ae7804a2a164467e1bd405aa1c3b1dbeb6066
SHA256f1441f8870165064144b78692abde3b7fc658ef7ea202a8a6c443420af58ac36
SHA512366e7222ee4e00f0bf837e4dd9e48ca3e6c36370740e7656660bb6dfd05ed68cd35e0f45e6815c57362912fbf7e88ec5f323c336593269825a82a345d2d7aa12
-
Filesize
441KB
MD5eae9fb825be018b890ad077e46a73260
SHA174cde7b2e717217a6ad13f984113883fe6faf7d8
SHA256f38c54be0d5c82e340a8b354d104eb1559a9447bc15f228651a8c8b0abcd41f6
SHA51263c127046ca06bd1e929dd3594f5a4fe611fd88b42c0f5449f8d16c1e3df7d82638c9449e689bfb7d3918e9b44f03a1b338ac261767422f50760845e88262173
-
Filesize
441KB
MD5f4dd871eeae7aad8768c4feecfca961c
SHA1d44674a7b0bdc9c5fa1594926d61e840b6c44675
SHA256780b892334ba9384f6c8e63588153627951604826ced5c05b10fcf3add406d52
SHA512dd42bf072495ac9393f5ea9c1329a05643c587729c0183f473fb9cfeb1e9613ec07181fd62a67ee1b9341bdaaeeb5a97ac8180aaeb84446a9ac5315aac10013b
-
Filesize
441KB
MD5768209e280b35a25332af41b89df95e5
SHA1b3a2b2e445c2045db20c3b920c72f9fa586e5dcd
SHA25610b2f89604ae2a5567751dd2f1e7efa39a96568b9cb2282f314dee9be9aab958
SHA51219b95820c82f9b40a9255ba637895ed40b764225fe328b5de15ec23e0e8dcbedcf0a95e47de8c94dcf82aeb7423e0e1d821a45954bb91eabcab99ca30852b763
-
Filesize
441KB
MD5a97c121d0e4c8646c1aef4091586dad2
SHA15df8de202bdbb47d645bfc2c9a87a6c165e2c0c0
SHA256458b25fdec093b6221026dc9fe6357bdd23a0b1e13c29d7d3ace57615058654b
SHA5120cafc1b009472a8c925c8cc35c4247fb32673a2c3fdfd4440056e1cfd716e6f636edf7f3cce1a755ac32896583f6d2bbe69a67c58233d638366d3ad01ec30faf
-
Filesize
441KB
MD58b81a30d1e16b7ea694fda1bf5d4a1c7
SHA199eac2e0aa7b0d3b96efe6e9a313681a9e4f3abc
SHA256839b4774dd7baca19a6274102d6d14adfc512e0b5c8fc1e633932170486a8390
SHA5120bd69d491930ab414615accb876acab74b60663625ef85c720a83c6d5e074d24ce9c66a4bae63170858b4e945277e327d0c835fdea772f344c402ddc81d72c67
-
Filesize
441KB
MD589925c0c8c7442249785564331621b9f
SHA1f2dd5dc7c91b0b98bd94651d0ba0b6ddcdba8557
SHA25674bf6a9c2037066c6fea9f407c2e95c9e73b1cff357f00a652fca6d85184bc5b
SHA51293800f02fe9ad5121237253dd44d04884114341c713c6669a08f13cd26686b5ea1eae6d2ac809def474eb45a9f38e837cfd9011cc26232713198a12512f99dc8
-
Filesize
441KB
MD5a90b764b8cdf9a5562b3a12330d23005
SHA1c1e2e81bbb585692bc7eee4c4fbe720d59172507
SHA25671e38a81f2c68998606c72cd0835a441fe36d1d7df384d73b2d737d66103e19d
SHA512d08c1755fd703e21db971696aee7c7f63ae8ceb6c9d1adf30258404595916f8c168b630d2e0706281e7968716c78d3e9b365ef7bc8633a02979e34876d11edf4
-
Filesize
441KB
MD5a9956a9f636b9969178f150bd362c78c
SHA1735e81acd2d5a3c78b64770818c4f69edf9e9880
SHA25677ba265db00abcf19d711936d10b7c3d35174acfe9e16e577b9f2086c78b4fc2
SHA5124fd3298dd82ddf78278b9e1f8ddfd5afd0aefd40e5a147d75613c4f97f91b26b8991535d7aa05a302fcd775dc4f31619d61023fc805e8d84cf7dd6e62eaae46f
-
Filesize
441KB
MD571e5b6621d2323137fcf1ddb97c51bd7
SHA164f2887614790792c8eee5f9e5d826d79b2a4d7b
SHA256d6e203ccc2f4aa150c161ff05155a89b1383ee1e4b63816c2159c95e4113ccdf
SHA512a218239b64267443a1a200ad7ca4544421e5e40da2709d42d3fdb521bbf836090be6196b218457b4d8927ce71bf5fbb36c9b16e256ed42568fba4512198d0201
-
Filesize
441KB
MD5065f686bc581c51abe9ec010e7bd8670
SHA1ce772af705334fba10f0886396bfb44346503e69
SHA256a03db27f5f0a27c542e5bf5dce65aa2e88438d426378e2c3a469177aafab4785
SHA5120befd7b9860cc3c8eb296ca7a854b9053de417b06b6990f1fa427f79e3a3e76498fa92111cb21ba94d9c0faa637d8488c96d528afccb770787a0688dba6890b6
-
Filesize
441KB
MD50822ad287a1fc4c8de97d3b45af28d87
SHA10bb6dbc67fce0051a486427334e96167f89443e4
SHA256930098f4542931350e1cf078674612dba4a2484ef73ad8a5e8626b6788677e27
SHA5121e44e8f7187802f546c7224cb46ba3e5d57b97d880b18967429f93ecb2cd77b0dec6c9032b0425131adfa0161c932c0955b6092d709e6d4d77c24c0d631ea8a3
-
Filesize
441KB
MD532f89311fedcc24ac145e6e3171d37e1
SHA147900c137f464f5faee86b0759f26c78f13bfd56
SHA256ecc6d910da338d62b84a188a9f584648ece21c59f5b83c8800812bc779d55edb
SHA5121600e68b7f1176d4df31ad1e921ed64c9198a705fd16d127275937773dd762ad0ec379dee7ffd2b485c849d4cfcb93a74d4062cc83cbbf336ccee0c9f8be50f3
-
Filesize
441KB
MD52d269fca9378a8406f64786c56e06091
SHA1fe662ac67fb814c6d9147cfec9bde7e601e2e341
SHA256533dd29cbd3da5767775af1df2648f8bc8c4add8d945ea11daf21eb341a7fd30
SHA5122dbb7d75905eae9c878b9a82963b64533a66f85decbd396fb5ddee1de1814a918393d7ffb25b14675a75bb27c92a7718f42c775f98e9a890bd0da4af39469b64
-
Filesize
441KB
MD5f9728d0cd5dc0421632815e62a5ff9b0
SHA1e29174fa054ce9feb6dd3d2cb92bc75661e3d41a
SHA256f4f4b115d59fb682c98ecb1352962e916649afd630be5b74a9bb364c901abee2
SHA51200152cae002a146391c63620f35fab3566575fca01d0d65d0c0e9bb0fbb01baad1e955922162863615e5ea4ed33d89511021911bb23543abf635155159ef26ca
-
Filesize
441KB
MD5f274f040a3bc66ed5a5cd39ea126fbfa
SHA172b8993c4707f939e46d8b9f72e605cd4d01dc2f
SHA256bb41a637ee386422ecdaf98b0a957c6a559db149966176e4337c4083a478763b
SHA512c0d70ac6d6b3c959e9b496244e5b4962e2fb9c1462ee221c8cb3d1b5738dac6ce90d31d3a38ef435f63fe3938a742626d307344b36460b669573eef64f9c0cfa
-
Filesize
441KB
MD5a270986778f715461ab44729b25c1fe5
SHA13a9abaccb1bac668af2c38553458698dcf8d9082
SHA2566898b87c883e916482dccfab7d244c6a1c4a23fbe458eea84e4f4d70c8622059
SHA51294c7db49ad7c033ef22de3e5ba86924e7b9988089ae1c4c61a11f3a0849ec86d3d327b4142b0db76ac8ef046262957f0aa20ba9f48731588bc42dbbf419967c5
-
Filesize
141B
MD5fe219732c64fb99844eeea8a99110d85
SHA1d435a28b2db26da180f2b23b051a1d4f9b968e43
SHA2566631d7359acc2575b75d6811c918bc209f269e89700eb8220f9936fa05c1cc7c
SHA5120ee7be5d8b4a45d91101807e687188a635d626703262487d60743334a68fce94275dd471a5fb79c96af87f0084b59adb1ce8cdb3d430da46716ef9921a6f09e9
-
Filesize
361KB
MD545c87e723ef890963a244048007fafab
SHA1724b8494460f10a8be3773aca69a904b1f9f6054
SHA2561112c19bd06e331ad2a4ce38c0742528f9b92b6f1c7a757d38f32a83e26cf58e
SHA5122fc969800f75b0ccd27a2c7817423ed81bd56e5eff03329ee485a5ca413c8d934614c32cf9b67b2b6d1e6312f0ae2030577987b7112945c7194efa3969376727
-
Filesize
361KB
MD5a122aeb21d8fea84eecb80ce782daf51
SHA1cd2c45a895c7e365606777a8dacaea7f01955f44
SHA2567abb33f7c8b31a0d47e0633d982be7bb3c3cf4182b6f9c44f20571117d919a96
SHA512a34c9871782f57132b8f9ef1fc26c8fae561e052ccbd2fea753598a298c8dad4bfb07f379bc6f3a6729251289e6fa76d30b5f1855b08b504b781a1068b09a063
-
Filesize
361KB
MD5ec5702730c23e0a018294594ab43b089
SHA101fb205e1c0945f20727daf32e5d96a8143dff22
SHA2566e7a81af9546674515074881e6075070f07f38340d7847b1c45d84a1e7137acd
SHA512617224e82df6c6b88364194b787436d1cf27d918ad951bd58034955d07e1ed7842bc423ac900a96703f7845cf0c8303c3ef9ece2973851999ddd9f90ce4cb340
-
Filesize
441KB
MD5858964974b18c1ff191f9c80953f8c2a
SHA1b0ea3c9c043221be12f8362d1ee57cd676530adf
SHA2567ddd5fe947f91da562f06c960d36a98f64c6b426efe6bc40e3fed236e8360281
SHA51263ef28f21bfabff75b3bc37b2240808399373326d37270df018e8fa760229a22c42e7431822e8257009c8e260f4e2a1365cc6f54782079ef05b8c1dcfc69244b
-
Filesize
1.4MB
MD5c14d86b2aa572ba9973828133ffd9d83
SHA1db863f0efc33b72522b228f25835826fad532d32
SHA25686a9eb67eca6d722a633e967a25866b874560ba49a49d024e9584f3db5a1a14e
SHA5129c0d57b0a6be0d6c4f81268f75f4032cf81e6287a781fdc7b0050d1ed31c1456d6650186b0e3bf1204d47c92b358b59707f260e7042837c78a8777692fd67d34
-
Filesize
1.4MB
MD5c6e72c1e418663017ccfea1bedf7eee7
SHA1797a84957ebd22647d8e7ac62a81061496ea2ef2
SHA256d6f15036a1fd7489d7c2a04dcb2be2f44dd9a0e752e5206698f7b462970f2e9a
SHA5123f693de5fa31421e9a5c4ecf9182ac654a388a4934bc58b9e5e509419ea0e371d458ed8fe838f742003b3a250347e92ef9c23eac32f2cdca46fe494ff771191c
-
Filesize
1.4MB
MD58d205ffd6d88ed41b19caa91a7aa994c
SHA15ee0cc6ef7ab500ffb99e42323fe5074b52cce91
SHA2567500ef088d9a7f141d896bdcc21fc38675dc4763a301d657107ca9622f74ca99
SHA5128462003ca9aead0737789bdd8a769608e6217e80c82264b439a1d649bc185880220959f9c4b2578cd0467fbca9409bfaeedaf1ab13e70e3a545eb11b239bb68f