18e494197d54ab59040ccf3619e0c5c0ec118284fed8944b057b807751e70d12

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c8f56deee571e0fdb98dd3150ce76a0N.exe
Size

91KB
MD5

2c8f56deee571e0fdb98dd3150ce76a0
SHA1

579b8e467b7182a2e33da358cd298e0c96ac53dc
SHA256

18e494197d54ab59040ccf3619e0c5c0ec118284fed8944b057b807751e70d12
SHA512

16e7646e54647809bf3107e22a9bb59497d66bd91f4a29164bb24f321ed083e6ff29d04ecda505e0b6465b1a34b794f56da0a7908ee651725080106fd24fd64c
SSDEEP

1536:8AwEmBj3EXHn4x+9aDAwEmBj3EXHn4x+9aS2:8GmF3onW+MDGmF3onW+Ml

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	2c8f56deee571e0fdb98dd3150ce76a0N.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2c8f56deee571e0fdb98dd3150ce76a0N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	2c8f56deee571e0fdb98dd3150ce76a0N.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	2c8f56deee571e0fdb98dd3150ce76a0N.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 14 IoCs

pid	Process
2640	xk.exe
2596	IExplorer.exe
4528	WINLOGON.EXE
2076	CSRSS.EXE
4564	SERVICES.EXE
1920	LSASS.EXE
2168	xk.exe
4932	IExplorer.exe
3720	WINLOGON.EXE
972	CSRSS.EXE
2972	SERVICES.EXE
4520	LSASS.EXE
628	SMSS.EXE
4016	SMSS.EXE

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2c8f56deee571e0fdb98dd3150ce76a0N.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	2c8f56deee571e0fdb98dd3150ce76a0N.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\desktop.ini	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened for modification	F:\desktop.ini	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File created	F:\desktop.ini	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened for modification	C:\desktop.ini	2c8f56deee571e0fdb98dd3150ce76a0N.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\R:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\E:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\I:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\L:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\T:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\V:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\H:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\M:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\O:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\Q:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\W:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\X:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\Y:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\Z:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\J:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\K:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\N:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\U:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\B:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\G:	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened (read-only)	\??\S:	2c8f56deee571e0fdb98dd3150ce76a0N.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File created	C:\Windows\SysWOW64\shell.exe	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File created	C:\Windows\SysWOW64\Mig2.scr	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	2c8f56deee571e0fdb98dd3150ce76a0N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	2c8f56deee571e0fdb98dd3150ce76a0N.exe
File created	C:\Windows\xk.exe	2c8f56deee571e0fdb98dd3150ce76a0N.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\Desktop\	2c8f56deee571e0fdb98dd3150ce76a0N.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	2c8f56deee571e0fdb98dd3150ce76a0N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe
2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe
2640	xk.exe
2596	IExplorer.exe
4528	WINLOGON.EXE
2076	CSRSS.EXE
4564	SERVICES.EXE
1920	LSASS.EXE
2168	xk.exe
4932	IExplorer.exe
3720	WINLOGON.EXE
972	CSRSS.EXE
2972	SERVICES.EXE
4520	LSASS.EXE
628	SMSS.EXE
4016	SMSS.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2640	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	85
PID 2776 wrote to memory of 2640	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	85
PID 2776 wrote to memory of 2640	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	85
PID 2776 wrote to memory of 2596	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	86
PID 2776 wrote to memory of 2596	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	86
PID 2776 wrote to memory of 2596	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	86
PID 2776 wrote to memory of 4528	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	87
PID 2776 wrote to memory of 4528	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	87
PID 2776 wrote to memory of 4528	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	87
PID 2776 wrote to memory of 2076	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	89
PID 2776 wrote to memory of 2076	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	89
PID 2776 wrote to memory of 2076	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	89
PID 2776 wrote to memory of 4564	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	90
PID 2776 wrote to memory of 4564	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	90
PID 2776 wrote to memory of 4564	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	90
PID 2776 wrote to memory of 1920	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	91
PID 2776 wrote to memory of 1920	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	91
PID 2776 wrote to memory of 1920	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	91
PID 2776 wrote to memory of 2168	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	92
PID 2776 wrote to memory of 2168	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	92
PID 2776 wrote to memory of 2168	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	92
PID 2776 wrote to memory of 4932	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	93
PID 2776 wrote to memory of 4932	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	93
PID 2776 wrote to memory of 4932	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	93
PID 2776 wrote to memory of 3720	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	94
PID 2776 wrote to memory of 3720	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	94
PID 2776 wrote to memory of 3720	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	94
PID 2776 wrote to memory of 972	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	95
PID 2776 wrote to memory of 972	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	95
PID 2776 wrote to memory of 972	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	95
PID 2776 wrote to memory of 2972	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	96
PID 2776 wrote to memory of 2972	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	96
PID 2776 wrote to memory of 2972	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	96
PID 2776 wrote to memory of 4520	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	97
PID 2776 wrote to memory of 4520	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	97
PID 2776 wrote to memory of 4520	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	97
PID 2776 wrote to memory of 628	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	98
PID 2776 wrote to memory of 628	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	98
PID 2776 wrote to memory of 628	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	98
PID 2776 wrote to memory of 4016	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	99
PID 2776 wrote to memory of 4016	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	99
PID 2776 wrote to memory of 4016	2776	2c8f56deee571e0fdb98dd3150ce76a0N.exe	99

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2c8f56deee571e0fdb98dd3150ce76a0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	2c8f56deee571e0fdb98dd3150ce76a0N.exe

C:\Users\Admin\AppData\Local\Temp\2c8f56deee571e0fdb98dd3150ce76a0N.exe
"C:\Users\Admin\AppData\Local\Temp\2c8f56deee571e0fdb98dd3150ce76a0N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2776
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2640
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2596
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4528
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2076
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4564
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1920
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2168
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4932
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3720
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:972
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2972
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4520
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:628
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
571a636dc143ab1f68453fdb57930127

SHA1
8b401791b2927721a3e009c40d549c8c6030ba40

SHA256
4e2500b4ad6667b4a2dcdc0ee5e71b86d97e34246c828a819f813233c3b64f58

SHA512
f6079e35456aa946e189358770335ec27025b2854e512fa1bd6fb170fba0b6bd974c48b975359efa5b36f5388c5c0fa0a5a6fb6f8e0665d532a0f4e9c6f23648

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
e9b0789755b0a8ebaa6318140d41e857

SHA1
e0ea4c2c49c47ac934ee07f51d9b1ba8aee99d7b

SHA256
9c1931a050fbecb5f55bb7e739924d5057d33ea3cc0763b4c76c0f07022085a3

SHA512
9eec9a570161827eb4dca64f3f08474a6cb7df1fb63e033ae0b3118bd9305e1ffd96ee6e28de1403a6aa5d6ca331c8e7322162bd90a0374b70bca4b8656b77c6

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
7c99db663c4dd5f5b0006bc77bf42fe6

SHA1
03b91f572323f396d51279fafdca1bf87ecc91d9

SHA256
f8f37b8e05a3bd589cb8a27214579523331a97e1b3757644361783706dfd2583

SHA512
5331a2d4b91f1ace9c7a91a4274c2d1c9215d1e3181856bcf996b2b481563c14b7ea90a2ef0edcb1ba2568106b2915a972ad28033ce3a0803b08e3bdade9580d

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
09d5b8e210d59598c5824e1f10f84372

SHA1
7fa06086d8a7449aa519df01913a5410a902f142

SHA256
1c869c708e5d1901aea6ce7d58a8bf1893d259b93f7cb0bf66698f6c054a6522

SHA512
385de45afee21b02fead124f2683e3a0fd79450e4f6679493df41e44416bebc637f19e594c86e487f1423d04cc2b43e885c21012ebcdc3612534b9fb43cb2dfc

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
c853b5f84695fda61eaa9200838e4a2e

SHA1
4876a4724d7fcc1f9442bef5fd13f4971b376714

SHA256
8aac0280c55f8db1e2af13a8877b33227cba121537f0b6ffd3354e238b4a5f69

SHA512
880f735d1e1b1ffa5de013ceca8a7ef728fce6d65b56cf3227467d775f930336ba5420daf538fb05e9a642b5cfb3f19dd8312913ec57c64c1c9a63be53aa21ef

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
45218fac459201fa4120526e3aa827b3

SHA1
12b6b690fa79059a629e7525081215e20ac662b9

SHA256
2d1b96ee0870ff41426adfe36e070b85c1f58e1c926483da098081859d684255

SHA512
d0ec9eabaf40db1ee23b6dd7d01a0ed9a2adc9199c79964a15726b5697815d7905b233e85b1b3391a1a8481db2fbc44753dbc6fc9300c737505f8e7eabbc256b

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
3e2d35241cc232034d9ae121d383a0b8

SHA1
7e9fc5fe232abe265e36c5c89f96129587470c7a

SHA256
48b34013e495d62c1402105ba6e11a2ddff1cc254c131e74c60729ee0a6b7402

SHA512
f86feb7c29078dcca67dcd378735b4a548f7edcd5fab99a6c43cbcd7399cca7ebbc3b7c82f04530099329b9036f67d414eb0caaec63bd0d9381803ae1745b440

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
339d42f6838f83642c63b773c8c364ca

SHA1
89e5b798d434cd04a18797b433df45d9d8a0f906

SHA256
10bc8ef6d951c6ab45b3c5323bb3f07bc89b891094b244097a82e0a0cb3d12ea

SHA512
4b05bfc63b0df3943b36d08c53f927d693d65816d3b9cb1ab3e4735d30da094a2011acb825c93998439766cb907baf84ab1953386f5257e8e82519d3198f277f

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
2c8f56deee571e0fdb98dd3150ce76a0

SHA1
579b8e467b7182a2e33da358cd298e0c96ac53dc

SHA256
18e494197d54ab59040ccf3619e0c5c0ec118284fed8944b057b807751e70d12

SHA512
16e7646e54647809bf3107e22a9bb59497d66bd91f4a29164bb24f321ed083e6ff29d04ecda505e0b6465b1a34b794f56da0a7908ee651725080106fd24fd64c

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
efb7748b57ec85b5cbc94f766c0cb537

SHA1
d6f7ea78db80d0ed9c9bde47afa58acbd28f4b18

SHA256
1a9dbf2f8e549913ccd7a92d304aa82b86ba069d68d97e052513efcf0fa4e621

SHA512
040b85089f8c3482edf8b3438eb2d97a6feb374402422da9d4b5ec25f3a4d0b7c0315ab7f63a52afdc36b9efd94df2bb23db6a5016e8507c6e3e34dd5a859af1

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
8e8b80692be67e948c28a68bf232bb33

SHA1
927740ccd4132512fcdcdbce83faa12ed549e271

SHA256
17540a5e82982825e6fc75c202192ce513ed7f0901ec074e0f43607e897ab53e

SHA512
b2f44f3d612a5e577cf22048f6f86ff75a6ec5e41e9dcb2c2805ea75548539cfe272963506e80aee8e035545d99fea81971d4269cf6c42b8e81eec506028fd4c

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
4130702eb9d45deee423899fdc3f059a

SHA1
4a4dacf24c8407f334195033eac70b122bec31c9

SHA256
15d0fc3fa99574c48a31e367320410ad5c78de41f70990dc008843f2dff4b715

SHA512
0d484796a737af81a9b1ead01cda51b4a8f6b3b34127152cfcf9172d587085ae80be1620cd22d60698621807e0004141d6873a91630c73098087419aea9e1519

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
a244097ca37b3979270937d6fa81edad

SHA1
bc761bbc68e6a40fbfbb47fa1479181ae1ee5129

SHA256
2eb735bd247e1aaed1a2b01ec4634fe24789b73c00a4eaa7b67139336ab824c2

SHA512
56364a08c679b942d3d9ea3203c22cddec315265c194e8db82cac7d6b57a92d458c6c9bb6983371487460d8cdf0df21a064b8ecaf8608d6ec708320b2049509a

Download Submit
memory/628-241-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/972-220-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1920-145-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2076-133-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2076-128-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2168-194-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2168-200-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2596-119-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2640-112-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2776-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2776-214-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2776-263-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2776-270-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2972-226-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3720-213-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4016-269-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4520-233-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4528-124-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4564-138-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4932-207-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4932-201-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download