af2b9a2a481c79678a1660ac3432894a32876fe891de0193f073b79c206a8e5b

Analysis

max time kernel
119s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 13:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dfdd2233fbcca7c4f72e1e5c04447250N.exe
Size

292KB
MD5

dfdd2233fbcca7c4f72e1e5c04447250
SHA1

e945abb1e7649d91bd066547dec63c65582e86f4
SHA256

af2b9a2a481c79678a1660ac3432894a32876fe891de0193f073b79c206a8e5b
SHA512

e3b7f749d33185269afe1522f42a75b6d5e2d12085afc6e260021b2015866d3da59540aff971f07b7e8e786116f3d1723a936d1a76cee250a26c5c7aa7bf06c6
SSDEEP

6144:rY+32WWluqvHpVmXWEjFJRWci+WUd201UU5EYCTvaBjuP:knWwvHpVmXpjJIUd2iUusvali

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\\DSC8L5S.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\\DSC8L5S.exe\""	lsass.exe

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	lsass.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002343c-150.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	dfdd2233fbcca7c4f72e1e5c04447250N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 5 IoCs

pid	Process
800	service.exe
2728	smss.exe
3992	system.exe
948	winlogon.exe
4896	lsass.exe

Loads dropped DLL 1 IoCs

pid	Process
3992	system.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002343c-150.dat	upx
behavioral2/memory/3992-309-0x0000000010000000-0x0000000010075000-memory.dmp	upx
behavioral2/memory/3992-320-0x0000000010000000-0x0000000010075000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sXG0Q2W0 = "C:\\Windows\\system32\\FXW5F1YYGP3L3J.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0L5SGP = "C:\\Windows\\TWJ0Q2W.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sXG0Q2W0 = "C:\\Windows\\system32\\FXW5F1YYGP3L3J.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0L5SGP = "C:\\Windows\\TWJ0Q2W.exe"	lsass.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\Y:	service.exe
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\V:	service.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\UMO0R1D	system.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\FXW5F1YYGP3L3J.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\LKO0T8G.exe	dfdd2233fbcca7c4f72e1e5c04447250N.exe
File opened for modification	C:\Windows\SysWOW64\UMO0R1D	service.exe
File opened for modification	C:\Windows\SysWOW64\UMO0R1D	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\LKO0T8G.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\UMO0R1D\FXW5F1Y.cmd	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\FXW5F1YYGP3L3J.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\UMO0R1D	dfdd2233fbcca7c4f72e1e5c04447250N.exe
File opened for modification	C:\Windows\SysWOW64\FXW5F1YYGP3L3J.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\UMO0R1D\FXW5F1Y.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\UMO0R1D\FXW5F1Y.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	dfdd2233fbcca7c4f72e1e5c04447250N.exe
File opened for modification	C:\Windows\SysWOW64\UMO0R1D	lsass.exe
File opened for modification	C:\Windows\SysWOW64\FXW5F1YYGP3L3J.exe	dfdd2233fbcca7c4f72e1e5c04447250N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\LKO0T8G.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\FXW5F1YYGP3L3J.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\UMO0R1D\FXW5F1Y.cmd	dfdd2233fbcca7c4f72e1e5c04447250N.exe
File opened for modification	C:\Windows\SysWOW64\UMO0R1D	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\UMO0R1D\FXW5F1Y.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	dfdd2233fbcca7c4f72e1e5c04447250N.exe
File opened for modification	C:\Windows\SysWOW64\FXW5F1YYGP3L3J.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\LKO0T8G.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\LKO0T8G.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	dfdd2233fbcca7c4f72e1e5c04447250N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\UMO0R1D\FXW5F1Y.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\LKO0T8G.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\msvbvm60.dll	dfdd2233fbcca7c4f72e1e5c04447250N.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	system.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	service.exe
File opened for modification	C:\Windows\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	winlogon.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}	dfdd2233fbcca7c4f72e1e5c04447250N.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}	service.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	winlogon.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\QTQ0U7N.com	service.exe
File created	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip	system.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	system.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\DSC8L5S.exe	winlogon.exe
File opened for modification	C:\Windows\64enc.en	system.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	service.exe
File opened for modification	C:\Windows\lsass.exe	service.exe
File opened for modification	C:\Windows\cypreg.dll	smss.exe
File opened for modification	C:\Windows\lsass.exe	system.exe
File opened for modification	C:\Windows\TWJ0Q2W.exe	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\QTQ0U7N.com	smss.exe
File opened for modification	C:\Windows\lsass.exe	dfdd2233fbcca7c4f72e1e5c04447250N.exe
File opened for modification	C:\Windows\moonlight.dll	smss.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	system.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\TWJ0Q2W.exe	service.exe
File opened for modification	C:\Windows\YGP3L3J.exe	service.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	smss.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\DSC8L5S.exe	smss.exe
File created	C:\Windows\MooNlight.R.txt	smss.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}	smss.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	winlogon.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	system.exe
File opened for modification	C:\Windows\YGP3L3J.exe	lsass.exe
File opened for modification	C:\Windows\cypreg.dll	dfdd2233fbcca7c4f72e1e5c04447250N.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	dfdd2233fbcca7c4f72e1e5c04447250N.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\QTQ0U7N.com	dfdd2233fbcca7c4f72e1e5c04447250N.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	service.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	system.exe
File opened for modification	C:\Windows\TWJ0Q2W.exe	winlogon.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\QTQ0U7N.com	winlogon.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	dfdd2233fbcca7c4f72e1e5c04447250N.exe
File opened for modification	C:\Windows\moonlight.dll	winlogon.exe
File opened for modification	C:\Windows\lsass.exe	smss.exe
File opened for modification	C:\Windows\TWJ0Q2W.exe	system.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\QTQ0U7N.com	system.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	dfdd2233fbcca7c4f72e1e5c04447250N.exe
File opened for modification	C:\Windows\TWJ0Q2W.exe	dfdd2233fbcca7c4f72e1e5c04447250N.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\DSC8L5S.exe	dfdd2233fbcca7c4f72e1e5c04447250N.exe
File opened for modification	C:\Windows\cypreg.dll	service.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	winlogon.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	winlogon.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	lsass.exe
File opened for modification	C:\Windows\moonlight.dll	dfdd2233fbcca7c4f72e1e5c04447250N.exe
File opened for modification	C:\Windows\moonlight.dll	system.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	service.exe
File opened for modification	C:\Windows\TWJ0Q2W.exe	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\QTQ0U7N.com	lsass.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}	lsass.exe
File opened for modification	C:\Windows\cypreg.dll	lsass.exe
File opened for modification	C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dfdd2233fbcca7c4f72e1e5c04447250N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	3992	system.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
748	dfdd2233fbcca7c4f72e1e5c04447250N.exe
800	service.exe
948	winlogon.exe
2728	smss.exe
3992	system.exe
4896	lsass.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 800	748	dfdd2233fbcca7c4f72e1e5c04447250N.exe	86
PID 748 wrote to memory of 800	748	dfdd2233fbcca7c4f72e1e5c04447250N.exe	86
PID 748 wrote to memory of 800	748	dfdd2233fbcca7c4f72e1e5c04447250N.exe	86
PID 748 wrote to memory of 2728	748	dfdd2233fbcca7c4f72e1e5c04447250N.exe	87
PID 748 wrote to memory of 2728	748	dfdd2233fbcca7c4f72e1e5c04447250N.exe	87
PID 748 wrote to memory of 2728	748	dfdd2233fbcca7c4f72e1e5c04447250N.exe	87
PID 748 wrote to memory of 3992	748	dfdd2233fbcca7c4f72e1e5c04447250N.exe	88
PID 748 wrote to memory of 3992	748	dfdd2233fbcca7c4f72e1e5c04447250N.exe	88
PID 748 wrote to memory of 3992	748	dfdd2233fbcca7c4f72e1e5c04447250N.exe	88
PID 748 wrote to memory of 948	748	dfdd2233fbcca7c4f72e1e5c04447250N.exe	89
PID 748 wrote to memory of 948	748	dfdd2233fbcca7c4f72e1e5c04447250N.exe	89
PID 748 wrote to memory of 948	748	dfdd2233fbcca7c4f72e1e5c04447250N.exe	89
PID 748 wrote to memory of 4896	748	dfdd2233fbcca7c4f72e1e5c04447250N.exe	90
PID 748 wrote to memory of 4896	748	dfdd2233fbcca7c4f72e1e5c04447250N.exe	90
PID 748 wrote to memory of 4896	748	dfdd2233fbcca7c4f72e1e5c04447250N.exe	90

C:\Users\Admin\AppData\Local\Temp\dfdd2233fbcca7c4f72e1e5c04447250N.exe
"C:\Users\Admin\AppData\Local\Temp\dfdd2233fbcca7c4f72e1e5c04447250N.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
  "C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:800
- C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
  "C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2728
- C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
  "C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3992
- C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
  "C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:948
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\My Notebook.exe

Filesize
292KB

MD5
bc7391939330940ddf369aca71d9d158

SHA1
dfbad0deca907a599dfc4190d7d388f242ca93a1

SHA256
124511524fca07af1fff5d1055bab1adb51a3bfdc385767074f55c88d5efc2f8

SHA512
24e2017d2e2c290a58903477feedd66424dfb2d698f508c730589ae3874edf156bb572210d775aa575f269bea7c9e4a38f7873cbb6945fed1f4a4af61abd116e

Download Submit
C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\DSC8L5S.exe

Filesize
292KB

MD5
ed409bc39b7595e1f70016ef096182d7

SHA1
ca5eb8f181c9a57e14d2bdff848b67e0200a648c

SHA256
74c6411f310b416dc6dd9f80bf592de7128a65ee51964a0d2994117fea7a4ca6

SHA512
50ecccaa7bf135f77ceffbbebed718a825c9dcb30dda346dd8a29854e12fb468ad203463948e9b102360f49ef9536d8941df27d4e6aa0da508bff6f2c08c29b8

Download Submit
C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\DSC8L5S.exe

Filesize
292KB

MD5
6305dcea45b2fe4764426edf13c1ce16

SHA1
39083fa0510d314142e848f615153d3ee6eadfbc

SHA256
f050a3ddee622be1e56157402a6c71b0d28d3491e14e56513bb1d29e54141861

SHA512
026ef432d2b1eec4d621a1bc17449ddf9e1de2c68be9b8e7269b91b73bb81bbee0497941bd7b5fb85f16f23840a1e584d1995c89a195cc8df10835f460041039

Download Submit
C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\QTQ0U7N.com

Filesize
292KB

MD5
312f9f87af5ed1324534520bcb674988

SHA1
ff30f59bed63cc5b7515afb05910271f9f21f521

SHA256
f80d0750d4c12f1fc27eac6bdbe59d865e4d8043c31a0f872dca67e2620060f6

SHA512
fd55c626c0a0d1e3bef13c1caab7304052c396fa901dcb43d701882c0a99e3801e3c9a5c40c43440f07ab588a350af25e7e43d75d286a5a6f2053c7d426744df

Download Submit
C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd

Filesize
292KB

MD5
eb926adb96976f01f862d441026c2c98

SHA1
0a14fb1d98f9daffad73edaad6fbef398f88a88f

SHA256
38cdd59dea4599243cfbc214641801562a62d480dcc0a8664144b4f15aa4e506

SHA512
b56289bb9dbf486d453a12abb2d0549879f9d3620c2f1f3a14b604ed5d92c671f75d40a400007faa6f858bbd2f6791394cf5a08d574a123fcba1cd4b0311d3d8

Download Submit
C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd

Filesize
292KB

MD5
1b06cdd21242fb536d339f63ca7c7c81

SHA1
2ac0e2f653d1296f68d66e3b3dc1580ce55088fb

SHA256
bd4c8f84fec581944f2e04f485b1386a82f0e103b3be78ed4ab45c639803edcb

SHA512
29f5a12699e11b7f1c1d722f29e615987cafdab13023a53d65bf8fd320d848d45b4ca8e4af2806eb0b0e30523ae7a81a427589fe43ebbff954c6e47842cc40b6

Download Submit
C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd

Filesize
292KB

MD5
6488c6209fad0d12bdb5ea1e9fb98018

SHA1
77b04c6cdf42bc7ca0250b2aad89e469c9022f2a

SHA256
2eb4836658fc61ac90827e67f355957b4984bd02b69703350edcf23768ff6b12

SHA512
88fc251f51ea66dbf419f95eaea63ca0132cc4569086ce11449cdeba08f689131b20902ca190e8e1c438062686f511f91179eccc8c9d05a58084b27aa4ee5368

Download Submit
C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe

Filesize
292KB

MD5
db6adc3594d0bde74310767141f72d6b

SHA1
3cf16be3c9af4ee98321f4967730125b9951b2cb

SHA256
8d8cf12a84cbbab6d052614765a8d72f0ae4699607681da19128c4b5ee90e2c9

SHA512
85047366ba7344f70a7dec8b2bca4b251accb6e845d328fffb50e0ce1e84baf2df40ad35d34f7c481b518a1bbae331b0fff35d834bdcf4018bd15ece3c82802a

Download Submit
C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe

Filesize
292KB

MD5
f4ef7a0bee14509adc2c2e32ff6c9a60

SHA1
f8fab8401b6ad6035951224091359021527f28b6

SHA256
55c38f7999f3f7f5077a27d758e64b1a1d9c006344dbc2b76a51421e74859433

SHA512
ffc9342deea771507ad92c19c01611a634e9541b6cf6745be69513dd5c50856413fc919a4f0be4c494aeb852c0e043dbacda2d1475b9e5eca1181de853105dcf

Download Submit
C:\Windows\RXG5H8S.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

Filesize
292KB

MD5
e99e769db10dee45e879701b1ceedc14

SHA1
3eb0561c1139af5a3be8e1b7968902768c1f92c3

SHA256
d5416a0de0aa11c68abec574eb6e9f468168524d2e4cdbad4d15b1babca95dc6

SHA512
062640ee25530857a5d4fc91db4e843de6f815492934e5766ebf76d11bbfc3e8a232c062dd9259b36816f715a739a236511f239362ba7f5ea947bab363119eb3

Download Submit
C:\Windows\SysWOW64\FXW5F1YYGP3L3J.exe

Filesize
292KB

MD5
dd74cc551eb16b5053c9503640be0f48

SHA1
51256b9999e2224c8dc1bd77bb2ef87e0137b9f4

SHA256
c06445197b98a822d450266a72e28e8fa4fe9e7ad23c50a8e30467be27d72153

SHA512
99989c3effc4dcd83b42f50e72c395b1bbef0f0eb74e00e137bfe8ba8b18df34ded27645eca2eb423c1bbb334f5ffe63ae19054c6f181a54a18e64031aa171bb

Download Submit
C:\Windows\SysWOW64\LKO0T8G.exe

Filesize
292KB

MD5
2e7b29d5e7157739ff21f5f5739c00db

SHA1
1162c2a06a1ae8056ec6b70654ee5d0c4794e9e2

SHA256
c2506883cfe0892f630bbf4a6b19579aeb2fde0f40056da4288f71c8e64a7ec1

SHA512
d791cae426b1125d99c4415c721ce35cc59d8f6ffec5fea22281774a1253fc11c01cc3ae59ed058f8aa982348ebcb01a13310d1249ed7e100dc86cccc220af75

Download Submit
C:\Windows\SysWOW64\UMO0R1D\FXW5F1Y.cmd

Filesize
292KB

MD5
1f8a8f2cc1733c6c393115383ef6357e

SHA1
d92a126da0f476f3b88e4581be1033269d8a5ddf

SHA256
72475f14cef78c526d4c33ed4a5ab8384a74723ae71df962e92feda877c2a89b

SHA512
18b41b845c64a94338e04ce33797075398b68c5c0471c254fcc5c3dc26108c00c09ab5947bf09423072b54b43c2b9242bbf9e11b864016019747ed4b86a5e542

Download Submit
C:\Windows\SysWOW64\UMO0R1D\FXW5F1Y.cmd

Filesize
292KB

MD5
3bd71b7846797b6be40371e5b8041fcc

SHA1
4ce23478c57adf9efe5cf0ad6ad0f4852f49e6e8

SHA256
f8afc566d2b5e72ea446a832ee0dd131dda76585ce9bb2709d232ad82aff50ea

SHA512
e083c1a08434a1b444783705d1d2470e185234b5c33e6866c9c93c0c148fdcb493c7605e4ad02bed48fc81877b211dc2666c8514ac4537e0b243f8e7c726f729

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
127B

MD5
67fdaab1f612717e0a6f0cf8575bbe22

SHA1
89e34470acff1d2d16c10ca31bef5cb4a25e33a1

SHA256
2a71cd36ac6d35772fa427ba4ffd091815b1003aec2090fca54fdee137c8a1b8

SHA512
6bde82e998a48eb3b63a9c3c08b828680e74f999f8e22e8877aedb729766ecba8543ab85f7a5f615ef49feee5debb6ed22a86706c5f6a9d6890602c954a8edde

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
c244424054a06d4ef6b2195b2b0d8c4c

SHA1
b8bbc8911b223fcc72517dcc77d74b5fa1449564

SHA256
70e19f689376d1b2fb5768f496402080cc2353476dae0f25b9a3468d8421dff9

SHA512
a27515911c92a21b61729aa19eb314c41e39e132cb623223f1753cecf2fe6d8520eef3cbb3029f9fe034222def6847b0538f935efc17ef33242dc9c9fa96ce9c

Download Submit
C:\Windows\TWJ0Q2W.exe

Filesize
292KB

MD5
f078fb2a4398331196c47a62d8d8c8ea

SHA1
4ed5ae2c3e2601c35c54562045e93e9ab627c611

SHA256
61dac19d06a99482572b50b080de216dddc83e982322d06ebd5e58683865caa7

SHA512
26c9db32b5e49e41d4ee143a6147b4708506a3d9cce6a43263c50d963ddd5395bd76f61bae25c51fdda7b5524ad114d0123f2074d67565c9f7b935eb25f32368

Download Submit
C:\Windows\YGP3L3J.exe

Filesize
292KB

MD5
1eae81da448eea64352d2dea99495fe7

SHA1
705998eb4e6e551b69d3d0296eb65046c81eb054

SHA256
99016a881900d33bb53cc50edcca87251ed346129f524c02de1c9ee1c392639c

SHA512
1c48ed271eca41a35077551194635bf4fe3951646b1c86c651e379902e4a71b34aad0c75744d39ceb000e4e3f769553a1705157e965b90b4f06328516c414692

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
d1ee55dda1048bdb13953a00759a05f0

SHA1
9e1f5772c8eb0a1c0d748c5ae20fb23b2929b95e

SHA256
a113b6c17a773b3eb04a0e7724c60de9479e52f7111de1e97b2f924b22b45432

SHA512
b803d5aa05deb31f6e91cc2184e3e256a1df9a4a7cd90cea85d507b3b5366e949775d7c10763199ebb56c54fc917093c7e47e1703d43a1dbe5ff06cf763d0be7

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
cad01ce988370f1f7ba6d1b366b67350

SHA1
456ee670f051bc6dc0f6ac660c202da6cf08ca2c

SHA256
ed6cdafd3b8f026f7b564a46e608f49332d8499187dcbfe5e7f4f105a31e8c4c

SHA512
dc133d6c905391a99b2989217d1cb5879bfea710f90a3f013fa3e62e55399edbfee7a167360fde9d33f87016f82a7707da40e4892c0ab72a441e57a13b664821

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
016153e7d87da4663906542e9984ed56

SHA1
98bcd3fa50dfe9cc40e7cfc6d2473676bdfe1c78

SHA256
ff8e86e1e77eabbbd74fbac06432a73af90663e4ec1ca8083a94cf10adadbd30

SHA512
1e8990ccdf6857cabdec0abaeba1ac68cd67f769ff2a9c40d13bbc09980895793284c861bbd5ced0557cddbe5efd92d07f9f339bdf30d1935a80f0af21a30093

Download Submit
C:\Windows\lsass.exe

Filesize
292KB

MD5
2e90369d6bfe2f516bbad1e80f295254

SHA1
26b1f88284360d15f4bada12be740f02cc7db178

SHA256
25a7c26f1aa45d3679688d8cace3fd0e69dbeb2326ceb72651c2e12e50ce50de

SHA512
c72825335d22a7ad904471f0d048ccf60bfd1d77259f6414657cc3325499eb855d5be03475ad2ad2fd49e2a8a5c512a94e97338c07d8da11fbceb3ef01f98c04

Download Submit
C:\Windows\lsass.exe

Filesize
292KB

MD5
fdb61d0d0f414e7837de64998bdf9762

SHA1
249ed06aaa24d5df5ad18c3ac8c72eab5ee2e677

SHA256
6c57dac74abd9a8c91538eba1ceef39de894aedbabdbb2081d05c7509b9ad14c

SHA512
c636e65bbdfff0ebfc9ef751b8fc680b78afeb4e4a5b849bd2bdfb25741636b8740f379a5dda13c7f326188c53ac7ed45c07bcf1055b040e129a4082543545f1

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
c55534452c57efa04f4109310f71ccca

SHA1
b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

SHA256
4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

SHA512
ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
12436a36db8c34408612ef20a9117495

SHA1
0c70db1f8ca9bc0d7dfd569cc4ab404c63015b9c

SHA256
c3a9677bbffe69b3b6a85b1ff97ca0368dca85aa1d46fc4ed20cee5dfffa3f5f

SHA512
4fa7c8040449d523f1317c1c2685a2f7070b0ca8611a06b3525a28c91ced810c3442646beaf0c6e3ffa2a9e21f812c14fc8c31b19a5cebb72105adad8843c2b5

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
9a9f3b124d45dc37a7f7ea0d56a2ce77

SHA1
0040ee250be20db1c54f20538422950f967a999c

SHA256
18109fcda7b887d3462aea4c31baf1772ae0926ff1b13835f9ad7c24c3225b32

SHA512
b20973d37eb109537c5889f8deb5b0da3ff3d89d11e2ce8bad0ed7b8627a539e22f9579c8913e51f24891892be9aff62b4ba99b9f51de717136c565aa21e4eaa

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
8c15d1f3656c13f316c458619e9281dd

SHA1
7ebc25360bcb518060f22b84652e62590ea2942a

SHA256
243c0d3a22c03b3538a1e7f4fcb9b60ac0bcd5959ce40cd6e5605bcbcb19787c

SHA512
707748967aecfedb7889c7531c55a8dc0c8c5a6164ae8cfd6525d4778053e526edac0cf220b55125f372420f84cdcacd4c022b55e7388e0d7b60dabc2e32ffa3

Download Submit
memory/3992-309-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/3992-320-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads