25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 19:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Size

91KB
MD5

df2a40ccd36c29bfe53d22a1ee654222
SHA1

8c83efc8a0324d44dc533476af3baec4ceb55247
SHA256

25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac
SHA512

889e69086afbb30a1875ea38b45dbe370b465a87ba6a2e043ebb89169b3a8bed399ef74e9be5c0868c6aa489c320eac0f8a68d5329602dbd5ba3ceb087634394
SSDEEP

1536:XRsjdLaslqdBXvTUL0Hnouy8VjnRsjdLaslqdBXvTUL0Hnouy8Vje:XOJKqsout9nOJKqsout9e

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2672	xk.exe
2196	IExplorer.exe
1012	WINLOGON.EXE
2024	CSRSS.EXE
1680	SERVICES.EXE
2036	LSASS.EXE
2412	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2316-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000018736-8.dat	upx
behavioral1/memory/2316-105-0x0000000000540000-0x000000000056F000-memory.dmp	upx
behavioral1/memory/2672-111-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000800000001879f-108.dat	upx
behavioral1/memory/2672-115-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00050000000194b1-116.dat	upx
behavioral1/memory/2196-123-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2196-126-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00050000000194e5-127.dat	upx
behavioral1/memory/1012-136-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00050000000194f0-138.dat	upx
behavioral1/memory/2316-147-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00050000000194fa-150.dat	upx
behavioral1/memory/2024-153-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1680-163-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019504-164.dat	upx
behavioral1/memory/2036-173-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019506-174.dat	upx
behavioral1/memory/2412-183-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2412-188-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2316-189-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
File created	C:\Windows\SysWOW64\shell.exe	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
File created	C:\Windows\SysWOW64\Mig2.scr	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
File created	C:\Windows\xk.exe	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
2672	xk.exe
2196	IExplorer.exe
1012	WINLOGON.EXE
2024	CSRSS.EXE
1680	SERVICES.EXE
2036	LSASS.EXE
2412	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2672	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	30
PID 2316 wrote to memory of 2672	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	30
PID 2316 wrote to memory of 2672	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	30
PID 2316 wrote to memory of 2672	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	30
PID 2316 wrote to memory of 2196	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	31
PID 2316 wrote to memory of 2196	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	31
PID 2316 wrote to memory of 2196	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	31
PID 2316 wrote to memory of 2196	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	31
PID 2316 wrote to memory of 1012	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	32
PID 2316 wrote to memory of 1012	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	32
PID 2316 wrote to memory of 1012	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	32
PID 2316 wrote to memory of 1012	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	32
PID 2316 wrote to memory of 2024	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	33
PID 2316 wrote to memory of 2024	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	33
PID 2316 wrote to memory of 2024	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	33
PID 2316 wrote to memory of 2024	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	33
PID 2316 wrote to memory of 1680	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	34
PID 2316 wrote to memory of 1680	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	34
PID 2316 wrote to memory of 1680	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	34
PID 2316 wrote to memory of 1680	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	34
PID 2316 wrote to memory of 2036	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	35
PID 2316 wrote to memory of 2036	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	35
PID 2316 wrote to memory of 2036	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	35
PID 2316 wrote to memory of 2036	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	35
PID 2316 wrote to memory of 2412	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	36
PID 2316 wrote to memory of 2412	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	36
PID 2316 wrote to memory of 2412	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	36
PID 2316 wrote to memory of 2412	2316	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe	36

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe

C:\Users\Admin\AppData\Local\Temp\25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe
"C:\Users\Admin\AppData\Local\Temp\25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2316
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2672
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2196
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1012
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2024
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1680
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2036
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\services.exe

Filesize
91KB

MD5
df2a40ccd36c29bfe53d22a1ee654222

SHA1
8c83efc8a0324d44dc533476af3baec4ceb55247

SHA256
25a5afdaa876cdd0fdd6b9988ed8dcfef8b74d74414f2ef8b4f7c3ac0b9b2cac

SHA512
889e69086afbb30a1875ea38b45dbe370b465a87ba6a2e043ebb89169b3a8bed399ef74e9be5c0868c6aa489c320eac0f8a68d5329602dbd5ba3ceb087634394

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
49563d22365ae5f7bd730f96da50dbfd

SHA1
75c15a57e7a84be7caddab5b0062101d3116ad6a

SHA256
5b04b57d49dfb4b13aec7e3e9acacf5b6e36a97a7be51903a36d0e8398b871b8

SHA512
e1699e2ce2ebb08c3084b63b20a6601f7a0791ced1bb61a823fef5d3d318d751163b529b5fa7f6c1971f78b20e958465a2b8a9291a2bb009501e0f971fcbfcc9

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
6a76313f83418d8efc4234a5e0f929a7

SHA1
e03a17daed396af7ac43b20439676a27df22d331

SHA256
7cf83aea563a8f16453eec437433f9b3a7c8bba377f84efc3aebd0f49f25f68c

SHA512
7c2ecb72f40b253c6f7bef9bef357862e0654bd3a7319d562d2f37b584b1cca2c793f3c6243d0a2847e59838bb049d0053725110dcf83520d254ba322659b7d2

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
6051d04739d2de88a824ca14b99fae95

SHA1
cce25688c77f4501bac86f9ef227042daac88237

SHA256
e43629dd42fcfa4ca5136633dd8a79698b298cd81c68089d493a78450f2c11c7

SHA512
fe95c677debc6242b23aa8fe77fcbb2b0ade0e367683efe9142ae4189140189b9a015c32e8f617fb919aa6129d3e4ae7e74707a8855ec2f79fd3c28835ba9ebe

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
694f2e6730a96ab55f9e672d3b02dbba

SHA1
5e559a2e838892566ed38bb487fc1815ce01bf19

SHA256
a1a9340d951d19b05a8519d5e2f5a55feb7d0f3544e52f445a92d89eecaa26af

SHA512
296f07f55f6421d19cc9a647c2bdd58e76fdca0177f99e7c2076f9d7b8c9fa9837eefbae8d93f1182953b83e9d6dc7551e0b432c20d14933975a4a82bae9afdc

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
c46dd1ab238eb9a3dc246eac8a14783a

SHA1
7f1d248b121b7c81c46119cecf09fde2a95bc5ae

SHA256
4e35fd6b1c6ee65714e146a417856f0d71912498f2ac934600cbbacca91a642d

SHA512
ab2f0721462a84d73d05c640394d900a13a03a80a66154c96835d0542fc8e34025c4e06619924117ff7b691787cd70868c21022d7ecee30c6cc88f4055e39500

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
39b49bbedd9ea40a1761aa175b6da553

SHA1
17d2d3f5ac9c45e8bdbd05cdb234a7d3e8757add

SHA256
ecda6e84169340488de0cad0a8b0b7b24e39e8e3bea38d6d445066f16e9272d1

SHA512
0b49c304b60a7a81c737b2a90a4822a19c12769e44873c6b19f35ceba3afb7a1dae61e9857fb7c1d7582690f7470b140064a0775aca0abd62cd4d9d7fc86ca82

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
f051278db9844412fba238ceb7427875

SHA1
48a7f712d442de0d43af1c20c42f2957f43c5014

SHA256
8ac60d28fc6e88eff2fbfd9b6d2ec4acd12459bb53553ec0c286e9a2e058d0fe

SHA512
e3a2f3e40deb6176f7e9333a29057e74525c6b4c4292a0d073509e4ce983104eccf880214b7fc946448d79e43dd7b5aef9a7bd853e6d7b74ef6967bdebe4fec1

Download Submit
memory/1012-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-163-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2024-153-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-182-0x0000000000540000-0x000000000056F000-memory.dmp

Filesize
188KB

Download
memory/2316-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-144-0x0000000000540000-0x000000000056F000-memory.dmp

Filesize
188KB

Download
memory/2316-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-159-0x0000000000540000-0x000000000056F000-memory.dmp

Filesize
188KB

Download
memory/2316-110-0x0000000000540000-0x000000000056F000-memory.dmp

Filesize
188KB

Download
memory/2316-181-0x0000000000540000-0x000000000056F000-memory.dmp

Filesize
188KB

Download
memory/2316-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2316-105-0x0000000000540000-0x000000000056F000-memory.dmp

Filesize
188KB

Download
memory/2316-145-0x0000000000540000-0x000000000056F000-memory.dmp

Filesize
188KB

Download
memory/2412-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2412-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2672-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2672-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download