42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
Size

459KB
MD5

72ab3f264137afe93ce5b00511f59e92
SHA1

59e9280f83fc2d33c7b788d8fcc2f8db1ef848e8
SHA256

42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e
SHA512

c65e52d572dd8e1736af032aabc42c42ff228c2eb394d43906a5c677e3160e89862e2a47b0d47f3440c7704b925355f848b1d2cecb369cc61a6631e5a52aee10
SSDEEP

6144:JY+32WWluqvHpVmXWEjFJRWci+WUd20rUU5EYCTvaBju4zT:OnWwvHpVmXpjJIUd2cUusvalxzT

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\\VNU6G3N.exe\""	system.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000016575-152.dat	acprotect

Executes dropped EXE 5 IoCs

pid	Process
2624	service.exe
2492	smss.exe
2308	system.exe
1524	winlogon.exe
788	lsass.exe

Loads dropped DLL 7 IoCs

pid	Process
3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016575-152.dat	upx
behavioral1/memory/2308-239-0x0000000010000000-0x0000000010075000-memory.dmp	upx
behavioral1/memory/2308-249-0x0000000010000000-0x0000000010075000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\sSY7L0R0 = "C:\\Windows\\system32\\XSR3Y8TUYK1G2F.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0G3NYK = "C:\\Windows\\ORE7L0R.exe"	system.exe

Drops desktop.ini file(s) 28 IoCs

description	ioc	Process
File created	\??\UNC\BISMIZHX\E$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\S$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\T$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\K$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\G$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\W$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\C$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\D$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\M$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\B$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\F$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\O$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\R$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\ADMIN$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\A$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\P$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\Q$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\Y$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\H$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\N$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\U$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\X$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\I$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\J$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\L$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\V$\desktop.ini	lsass.exe
File created	\??\UNC\BISMIZHX\Z$\desktop.ini	lsass.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\Y:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\V:	service.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\PHJ7M8V\XSR3Y8T.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\PHJ7M8V\XSR3Y8T.cmd	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
File opened for modification	C:\Windows\SysWOW64\PHJ7M8V\XSR3Y8T.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\PHJ7M8V\XSR3Y8T.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\GFJ7O6Y.exe	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\PHJ7M8V	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\GFJ7O6Y.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\XSR3Y8TUYK1G2F.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\GFJ7O6Y.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\PHJ7M8V\XSR3Y8T.cmd	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\PHJ7M8V	service.exe
File opened for modification	C:\Windows\SysWOW64\XSR3Y8TUYK1G2F.exe	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
File opened for modification	C:\Windows\SysWOW64\PHJ7M8V	smss.exe
File opened for modification	C:\Windows\SysWOW64\PHJ7M8V	system.exe
File opened for modification	C:\Windows\SysWOW64\XSR3Y8TUYK1G2F.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\XSR3Y8TUYK1G2F.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\PHJ7M8V	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\PHJ7M8V	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
File opened for modification	C:\Windows\SysWOW64\GFJ7O6Y.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\XSR3Y8TUYK1G2F.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\XSR3Y8TUYK1G2F.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
File opened for modification	C:\Windows\SysWOW64\GFJ7O6Y.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\PHJ7M8V\XSR3Y8T.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\GFJ7O6Y.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\UYK1G2F.exe	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\VNU6G3N.exe	smss.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\LOL7P5I.com	system.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
File opened for modification	C:\Windows\lsass.exe	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
File opened for modification	C:\Windows\ORE7L0R.exe	system.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
File opened for modification	C:\Windows\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\LOL7P5I.com	lsass.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	lsass.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	system.exe
File opened for modification	C:\Windows\UYK1G2F.exe	winlogon.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\LOL7P5I.com	winlogon.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	service.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\LOL7P5I.com	service.exe
File opened for modification	C:\Windows\moonlight.dll	lsass.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
File opened for modification	C:\Windows\moonlight.dll	smss.exe
File opened for modification	C:\Windows\lsass.exe	system.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	winlogon.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	winlogon.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	winlogon.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	smss.exe
File opened for modification	C:\Windows\lsass.exe	smss.exe
File opened for modification	C:\Windows\moonlight.dll	system.exe
File opened for modification	C:\Windows\cypreg.dll	winlogon.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\VNU6G3N.exe	lsass.exe
File opened for modification	C:\Windows\64enc.en	system.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\LOL7P5I.com	smss.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	service.exe
File opened for modification	C:\Windows\ORE7L0R.exe	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	system.exe
File opened for modification	C:\Windows\lsass.exe	service.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	lsass.exe
File created	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\zia02128	system.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\VNU6G3N.exe	winlogon.exe
File opened for modification	C:\Windows\cypreg.dll	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\VNU6G3N.exe	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
File opened for modification	C:\Windows\UYK1G2F.exe	smss.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	system.exe
File opened for modification	C:\Windows\UYK1G2F.exe	system.exe
File opened for modification	C:\Windows\moonlight.dll	winlogon.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	winlogon.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\UYK1G2F.exe	service.exe
File opened for modification	C:\Windows\UYK1G2F.exe	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	smss.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\VNU6G3N.exe	system.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	service.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	service.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip	system.exe
File opened for modification	C:\Windows\cypreg.dll	lsass.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	smss.exe
File opened for modification	C:\Windows\ORE7L0R.exe	smss.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}	system.exe
File opened for modification	C:\Windows\cypreg.dll	system.exe
File opened for modification	C:\Windows\ORE7L0R.exe	winlogon.exe
File opened for modification	C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	2308	system.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
2624	service.exe
2492	smss.exe
2308	system.exe
1524	winlogon.exe
788	lsass.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2624	3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe	28
PID 3012 wrote to memory of 2624	3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe	28
PID 3012 wrote to memory of 2624	3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe	28
PID 3012 wrote to memory of 2624	3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe	28
PID 3012 wrote to memory of 2492	3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe	29
PID 3012 wrote to memory of 2492	3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe	29
PID 3012 wrote to memory of 2492	3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe	29
PID 3012 wrote to memory of 2492	3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe	29
PID 3012 wrote to memory of 2308	3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe	30
PID 3012 wrote to memory of 2308	3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe	30
PID 3012 wrote to memory of 2308	3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe	30
PID 3012 wrote to memory of 2308	3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe	30
PID 3012 wrote to memory of 1524	3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe	31
PID 3012 wrote to memory of 1524	3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe	31
PID 3012 wrote to memory of 1524	3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe	31
PID 3012 wrote to memory of 1524	3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe	31
PID 3012 wrote to memory of 788	3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe	32
PID 3012 wrote to memory of 788	3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe	32
PID 3012 wrote to memory of 788	3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe	32
PID 3012 wrote to memory of 788	3012	42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe	32

C:\Users\Admin\AppData\Local\Temp\42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe
"C:\Users\Admin\AppData\Local\Temp\42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
  "C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2624
- C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
  "C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2492
- C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
  "C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2308
- C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
  "C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1524
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Pictures.exe

Filesize
459KB

MD5
cf1d20f7e0c368bdd8ba57b46d44b534

SHA1
b87b2fcc6f11a61a66197347bbc39973c748a7c0

SHA256
c0ece04a7784ed6fa759b980ab2668735e9564f896a6d3b3a4a22d1094b1ee18

SHA512
36aaeeb9c1789b87a61ae38e39fbf5b777df591e1601c4ce422c55ac911b29dd548204ccfa24562a240a44553f9118a6af2d9cf7496b01b8d68de9762c52923d

Download Submit
C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\LOL7P5I.com

Filesize
459KB

MD5
4e9000fd4e1ca9c1720ba8b25e51c0e3

SHA1
15032b2d182536492fffc8ff9bd484b68ccbc636

SHA256
0c6f2b5e886238c57ca7167a4423b76433a7231b96122664d91d62329877a784

SHA512
a985016114a457fc883b973237033285cf50887ef23f7ecbf5610afd8fd6359d513044710500efeaea3f2055a09ac521fa1d6af8661e481dd7fd02b8292e7f4c

Download Submit
C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\LOL7P5I.com

Filesize
459KB

MD5
5f805cbbee230620302508f257490483

SHA1
750b42b61b4dc24104553977305609412140d40a

SHA256
7959fb4e24fbb799e343996e11f9e8244486f5a022362edaba605d1ff23c11f6

SHA512
eeccf6572de810d780483275329fd3b31d103bf74f3a115bfe0b65500ed5482b0fe81b059fa2dc465ea742fc2649098a869e1bd8b0c7e50fdebc7f726ab262b5

Download Submit
C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\LOL7P5I.com

Filesize
459KB

MD5
8c44b575f94e4586198fe92c0f18447a

SHA1
355e78109bb3fdb51751141f7347a7bfa410df0a

SHA256
f8d6900a1c40b4845965b75fc1fce3d5e2d08c76863019c81ba5f3cb80a21b4a

SHA512
82164c06e718779bdf72646391b4e19edd1d331a337921a2792f730a3e21932ebe1154c44ffdf0357a701b35b35ee278436f87f7cc7b470f4bc3626968cd1a1b

Download Submit
C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\VNU6G3N.exe

Filesize
459KB

MD5
86c1efb3175516c804a7f205cfbdd15e

SHA1
df67c229782c01839773f34ad728555729b8f2b0

SHA256
e3ca3711f6dded65f883ee337aa877c7180d4058fd47d8398bee011ed8f4a2ac

SHA512
94e6eaac186ea233776d7959912a369897820cf46f68db3fde096aebe3991e03d50ab7c818a40078eba83d61ffd93f406db307ad0f0f135622e45e5dd1732095

Download Submit
C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe

Filesize
459KB

MD5
927280d660fc9a08b899c35a44aacf8d

SHA1
51b6cc31025d26be8bfbb7cae7f0142b68762c42

SHA256
4f74fea36d9422c2ff448eabf57c98534fdef0dec2fbd57ce956a16b8622b268

SHA512
6c03c80a41cd4524f49e95042459371a7124d74e40c4907f9ea8df3a84906a3a419119d9d397aa43db6b4f2deca50720586c4aea9aafd818750d373166176ee7

Download Submit
C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe

Filesize
459KB

MD5
6a61014a87548b27daaf5849db88944a

SHA1
519b8bbef05068b647b31d0ceb08bad13f074c2f

SHA256
5e693d71a2a016c07f0130745753b499dee7fc1df11134e2bdf0ec064d6f54c4

SHA512
ffcdfe662f87d2ae54d55cc90f40c8550e7daa7967fd4a2d4e9fece42cf2ddfad7aee2a04d04c30e1e1490d994179871ee6a9230f5700d7ff09ec77b9efdccf7

Download Submit
C:\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe

Filesize
459KB

MD5
f4be5a6f8d1d6f406b0207c6383a1fec

SHA1
8ed928e459712099ff414d287458807fef985b5d

SHA256
d7d3ace97a2273e70ef07b0979ce19516daae1a0d86217c0baa12a7dfa53582c

SHA512
93caed153785f6257dd95c3545f33bf6e33e862f3a471065b5cad6894c08e65ae30a9fd391b0d75f80cb9f124cfa23d2aca76ca1fed3ef8c145e6fb47bc6dc11

Download Submit
C:\Windows\ORE7L0R.exe

Filesize
459KB

MD5
4ac8682365f33ebe4dfd523e5c9fef29

SHA1
8ad07dda97e51340a48dbb0a17e5df0fb900bc55

SHA256
bf020069a6bd41c8ce6baf4aa81f46d834a34f203eb980129f1eb8911fb7dfe8

SHA512
d9de271d970ab74e7564a995248c0a57aef0a61a280b2a3826db5b45d84062fb510f48c18d5a53da3195e1a5f4dd446c21c4d71183e991311a203800c9a00bcf

Download Submit
C:\Windows\ORE7L0R.exe

Filesize
459KB

MD5
043104a75e907b6fe1e5c4b7db5f979c

SHA1
01926744f8d970cbffe429967840ccf97be0c24c

SHA256
df99bba5e16101750592b67a7fb90a3383e99c3c903d19af3f10887a7e2e2945

SHA512
d56a984b4573c28f27853c1116ec56f2221f66a30647182543763f09ccbd5d49563112ee85ca43394fc585adfca14d4f7ea56b535517d057677996aefedc579f

Download Submit
C:\Windows\SysWOW64\GFJ7O6Y.exe

Filesize
459KB

MD5
9bd3cdabd9809ef615e533232b85fbfa

SHA1
8d16e314e8d522cc95432b711eae4414bd76d842

SHA256
f79e2cad9aa724f3bbd8064532ea5a3e04147b6d927a9d0ba73804ce0faaac5a

SHA512
e002d927caf4b3b49802383a736ce1d36ea460e9b82192b1ea076b9a656751f23547878a6aacce0c010384a997e3089bc35ca3acc29ad3426c5359d952dbff06

Download Submit
C:\Windows\SysWOW64\GFJ7O6Y.exe

Filesize
459KB

MD5
72ab3f264137afe93ce5b00511f59e92

SHA1
59e9280f83fc2d33c7b788d8fcc2f8db1ef848e8

SHA256
42fee1bf320a49235fd5a50bf687e62e2a50c582696aa86e0c25cc827827118e

SHA512
c65e52d572dd8e1736af032aabc42c42ff228c2eb394d43906a5c677e3160e89862e2a47b0d47f3440c7704b925355f848b1d2cecb369cc61a6631e5a52aee10

Download Submit
C:\Windows\SysWOW64\GFJ7O6Y.exe

Filesize
459KB

MD5
c05172666fbfc34bd0b2e5b5c11db010

SHA1
ca0fb551a366d6620b7297d6fda38647117cb025

SHA256
fac81e1d241a3d04f95c24a841864ea13691e236290259377164e1694a9a2309

SHA512
2664ba9a094da9e159562dd8b1192c0d107a4ae6535df4694cb67033c7d5c24570b804a7a325323f2d39d53204aa5297a7cfccc74410317c71791f0c9f69e1bf

Download Submit
C:\Windows\SysWOW64\XSR3Y8TUYK1G2F.exe

Filesize
459KB

MD5
018807c1ac027552651c163098b17a37

SHA1
dfc502d2729b9c00732f33fc57a9979c8c36b180

SHA256
abae7f83a049274688f6d259bbff05d4c3dd90e3a8b7c6aaef45ff171a58142b

SHA512
50a6db63a18b921f51890cdfba55a6453eb23c600eaacdbc73b321aad473e3e3e92f458e60d0d4ea6e7b2c113ab88ed0e6d1dd804452bea2e759c78d8eb33a7a

Download Submit
C:\Windows\SysWOW64\XSR3Y8TUYK1G2F.exe

Filesize
459KB

MD5
cad397d62b4fe69517e033c53b7c793a

SHA1
3d51b36dd5f492cbbdf5ab49ceaefeacc9edde07

SHA256
099eed8b00f8396f523641c3178bf820655e649fab00b9eddd8467a97cf4de6b

SHA512
9ac26b24433da962c474e01ab79bac48df35475d0c033e08fbd5bf3e8936eeee1a64d0eb56ab8a230634780e302039be0a65c81989826d590e61049f1469f461

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
620befe53d53927e7f650559a70636c4

SHA1
dae700ad0d4719474acf452daf855a4b3f960452

SHA256
e13b7df9d5394961d4ab16582456a9593d1ae9d9efe986a2ec6dc1f5d8571c3b

SHA512
6494bab284961ad419e60c978cf220474fd97b475b06a2be1c6d22e7eaf2ddef81ebab099b6f8e8f7d6e9548550371b160736a62785e3557ef9a473994816def

Download Submit
C:\Windows\UYK1G2F.exe

Filesize
459KB

MD5
35a12a7fc163ee19c4e64da9235e056d

SHA1
6fd5d1eeb8a6c72c59cc7e0021a596045b4f5321

SHA256
d381cf28b76a3937be888ca93e25fdbeb9a1b190587349b54fdbf067b7bb5af3

SHA512
baf768696e324b0f84bd31b090ae9d2d02e2bd486baa057bfaa02288c3f730a9236f77e3367799607b7a9e720332cbfd116a2358a625c4419de2f32454c28f4f

Download Submit
C:\Windows\UYK1G2F.exe

Filesize
459KB

MD5
f2ffcc839ba83f1a7541b4bd0089b8ac

SHA1
9d6bd41e37ff7df70e8e673177ce3f513f558f9e

SHA256
12c7933293b309b7bba92d3aaa23178aa8c830e93d73798ed96babbd63cfeea4

SHA512
8e4a5edeccfce6033e428c71b4b213cde2c79c700f8aeba1595a536e26261bfa1efad698f46f290f508e911744ddf0c72bfb304698cb4d6b7e493e0b818cb1ef

Download Submit
C:\Windows\UYK1G2F.exe

Filesize
459KB

MD5
10364e9a38e6aa9e26608c96291adb65

SHA1
4209b4e192aa3acfa9a52c79ff63714436991828

SHA256
3e785da6b868493f2c633d972621ceb627638dd0652eb28c004bd47cfd1abb18

SHA512
170f0ea0039ea0ffc8ef8194228af73ded46393997cfc82e018bcd1d0e68d1ee22a16edec19455af0491e6e47eb9a239ab6fe8922c6e25edb4a034ac759fc037

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
3e4aa52683adf2ae9b4ab3f64a02d1a2

SHA1
b7e309eb33f95a409401effd72f919c720030edb

SHA256
15c9ad0863df8f1db620e11044020a237fc27af295404ae62bc4bbd2608c5538

SHA512
2fb67a139fe992317e77c0acc291da363481a949f359b8472ceb0131c20a17d17d14d25682ab9b215290734532e564d72d75e8c1cc88d43dcd3fbba618732385

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
d98c8e75e0b733b355221719abeb71e4

SHA1
e83c3d1bb4a5e346e8cd2582112ad8c44e18da2a

SHA256
4128459a5e29bc260f774480f81d2a1b558c7b5adb4bfb0c2bcce1d939b497f5

SHA512
312bfb82a0aa07e508fdeccade049f6edf434705ea6feefc5f24512283b2141700feb60d543523bc765be0b53bd6e95a533a6bad2a467abf0437228b2edcd7fe

Download Submit
C:\Windows\lsass.exe

Filesize
459KB

MD5
716d733e1bf0a533129a80ab91348178

SHA1
ce8a67a121bf1144b6b41b714aefc6f66b4942d6

SHA256
bff31b4b7563000615131784cf059d7e7abaa693b7ca01ad6ff43446ba1aa647

SHA512
fbf6f49fc8fd2c40b4c92dca7eb4c084bc0b94b8fd4ee44015ee23179382e90a4ac08316c76c96b566defa1bca89217690f016788bb98d1e735689886be578dc

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
c55534452c57efa04f4109310f71ccca

SHA1
b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

SHA256
4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

SHA512
ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.3MB

MD5
daba2ad22aebdd9f7f721ca811dea5b1

SHA1
9a96557e3ba32d05e3f01424f096b78c5be08dc5

SHA256
5bd1d9790c84306c6e16aba066e89927076c7b20b373d567327fdf02a1572f69

SHA512
f070910d170deb1880c066fea74801a281bfda735719bd1355e893522a2a019d80c76ae7d700890037888c0c4a89354c04edefbe1680188dbf0fa6aabe2a8efb

Download Submit
\Windows\MSY3C6N.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

Filesize
459KB

MD5
0ed13a12faa717084849ac5167d06da6

SHA1
2554b9ec31712fca1d177d4e8286505b2216667b

SHA256
42c1687a1fa667f96f07b7fadbda9ed03abfc3bb1b0e37479bc4b0a0f2b03ccf

SHA512
07928b33438448aa134084b7e9eaa28cb5ce2833c19fddbb6fc46cf4f5e8a30e7554025623adc2bb7e50816786da3c2e6874836b4f762d12a99b81aa891e217e

Download Submit
memory/788-251-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/788-210-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1524-250-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1524-150-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2308-249-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2308-248-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2308-239-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2308-91-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2492-68-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2492-247-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2624-57-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2624-238-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3012-209-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3012-73-0x00000000036C0000-0x0000000003733000-memory.dmp

Filesize
460KB

Download
memory/3012-0-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3012-54-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/3012-55-0x00000000036C0000-0x0000000003733000-memory.dmp

Filesize
460KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads