bcc741194a70a982ad991d85beb39c94dccb0a61c45780bdb566d7fa52627f88

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22-07-2024 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b251af519386823ce936c4742f4e720N.exe
Size

2.0MB
MD5

1b251af519386823ce936c4742f4e720
SHA1

0b0642e2bf889a7fb54d4808096f4fc307be465f
SHA256

bcc741194a70a982ad991d85beb39c94dccb0a61c45780bdb566d7fa52627f88
SHA512

62bce0c4acd4bbe30e28d2a8a2b11841d66a04d2a55682a0414954aab476567bb2ed94642f1c501b7615b85ee90c7d5562265b33dd190be19d11feb6820325f4
SSDEEP

24576:du5anSoIjXdVtTj2i64T+jdxQCfgOFD3WSwd2QtBBw6xxhVxQtmibjOhZaiRu/4k:BrI5bTChxKCnFnQXBbrtgb/iQvu0UHO

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\LRX3Y6M\\UMT6F3M.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\LRX3Y6M\\UMT6F3M.exe\""	lsass.exe

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\LRX3Y6M\\regedit.cmd"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\LRX3Y6M\\regedit.cmd"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe

Executes dropped EXE 5 IoCs

pid	Process
2820	service.exe
2736	smss.exe
2840	system.exe
2628	winlogon.exe
1548	lsass.exe

Loads dropped DLL 7 IoCs

pid	Process
1660	1b251af519386823ce936c4742f4e720N.exe
1660	1b251af519386823ce936c4742f4e720N.exe
1660	1b251af519386823ce936c4742f4e720N.exe
1660	1b251af519386823ce936c4742f4e720N.exe
1660	1b251af519386823ce936c4742f4e720N.exe
1660	1b251af519386823ce936c4742f4e720N.exe
1660	1b251af519386823ce936c4742f4e720N.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000019249-180.dat	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\sRX6L0Q0 = "C:\\Windows\\system32\\WRQ2X8STXJ1F1E.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0F3MXJ = "C:\\Windows\\NQD6L0Q.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\sRX6L0Q0 = "C:\\Windows\\system32\\WRQ2X8STXJ1F1E.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0F3MXJ = "C:\\Windows\\NQD6L0Q.exe"	lsass.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\Y:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\V:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\U:	service.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\PGI7L8V\WRQ2X8S.cmd	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	1b251af519386823ce936c4742f4e720N.exe
File opened for modification	C:\Windows\SysWOW64\PGI7L8V	system.exe
File opened for modification	C:\Windows\SysWOW64\PGI7L8V\WRQ2X8S.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\TSW3E2O.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\PGI7L8V	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\PGI7L8V\WRQ2X8S.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\PGI7L8V	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\WRQ2X8STXJ1F1E.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\TSW3E2O.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\WRQ2X8STXJ1F1E.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\WRQ2X8STXJ1F1E.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\WRQ2X8STXJ1F1E.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\TSW3E2O.exe	1b251af519386823ce936c4742f4e720N.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	1b251af519386823ce936c4742f4e720N.exe
File opened for modification	C:\Windows\SysWOW64\PGI7L8V	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\WRQ2X8STXJ1F1E.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\PGI7L8V	lsass.exe
File opened for modification	C:\Windows\SysWOW64\PGI7L8V\WRQ2X8S.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\PGI7L8V	1b251af519386823ce936c4742f4e720N.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\PGI7L8V\WRQ2X8S.cmd	1b251af519386823ce936c4742f4e720N.exe
File opened for modification	C:\Windows\SysWOW64\WRQ2X8STXJ1F1E.exe	1b251af519386823ce936c4742f4e720N.exe
File opened for modification	C:\Windows\SysWOW64\PGI7L8V\WRQ2X8S.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\TSW3E2O.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\TSW3E2O.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\TSW3E2O.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	1b251af519386823ce936c4742f4e720N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LRX3Y6M\winlogon.exe	system.exe
File opened for modification	C:\Windows\moonlight.dll	winlogon.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	winlogon.exe
File opened for modification	C:\Windows\cypreg.dll	winlogon.exe
File opened for modification	C:\Windows\moonlight.dll	1b251af519386823ce936c4742f4e720N.exe
File opened for modification	C:\Windows\lsass.exe	1b251af519386823ce936c4742f4e720N.exe
File opened for modification	C:\Windows\TXJ1F1E.exe	1b251af519386823ce936c4742f4e720N.exe
File opened for modification	C:\Windows\lsass.exe	service.exe
File opened for modification	C:\Windows\TXJ1F1E.exe	smss.exe
File opened for modification	C:\Windows\64enc.en	system.exe
File opened for modification	C:\Windows\TXJ1F1E.exe	service.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	1b251af519386823ce936c4742f4e720N.exe
File opened for modification	C:\Windows\LRX3Y6M\smss.exe	1b251af519386823ce936c4742f4e720N.exe
File opened for modification	C:\Windows\NQD6L0Q.exe	1b251af519386823ce936c4742f4e720N.exe
File opened for modification	C:\Windows\LRX3Y6M\system.exe	service.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	system.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\NQD6L0Q.exe	system.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\LRX3Y6M\service.exe	1b251af519386823ce936c4742f4e720N.exe
File opened for modification	C:\Windows\LRX3Y6M\system.exe	1b251af519386823ce936c4742f4e720N.exe
File opened for modification	C:\Windows\LRX3Y6M\service.exe	service.exe
File opened for modification	C:\Windows\cypreg.dll	service.exe
File opened for modification	C:\Windows\LRX3Y6M\regedit.cmd	1b251af519386823ce936c4742f4e720N.exe
File opened for modification	C:\Windows\LRX3Y6M	system.exe
File opened for modification	C:\Windows\LRX3Y6M	winlogon.exe
File opened for modification	C:\Windows\LRX3Y6M\smss.exe	service.exe
File opened for modification	C:\Windows\LRX3Y6M\system.exe	system.exe
File opened for modification	C:\Windows\LRX3Y6M\system.exe	lsass.exe
File opened for modification	C:\Windows\LRX3Y6M\regedit.cmd	smss.exe
File opened for modification	C:\Windows\LRX3Y6M\UMT6F3M.exe	smss.exe
File opened for modification	C:\Windows\LRX3Y6M\MYpIC.zip	system.exe
File opened for modification	C:\Windows\LRX3Y6M	1b251af519386823ce936c4742f4e720N.exe
File opened for modification	C:\Windows\LRX3Y6M\service.exe	system.exe
File opened for modification	C:\Windows\LRX3Y6M\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\NQD6L0Q.exe	winlogon.exe
File opened for modification	C:\Windows\lsass.exe	smss.exe
File opened for modification	C:\Windows\LRX3Y6M\UMT6F3M.exe	service.exe
File opened for modification	C:\Windows\lsass.exe	system.exe
File opened for modification	C:\Windows\LRX3Y6M\service.exe	lsass.exe
File opened for modification	C:\Windows\LRX3Y6M\service.exe	smss.exe
File opened for modification	C:\Windows\NQD6L0Q.exe	lsass.exe
File opened for modification	C:\Windows\LRX3Y6M	smss.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	service.exe
File opened for modification	C:\Windows\LRX3Y6M\regedit.cmd	winlogon.exe
File opened for modification	C:\Windows\cypreg.dll	lsass.exe
File opened for modification	C:\Windows\LRX3Y6M\regedit.cmd	lsass.exe
File opened for modification	C:\Windows\LRX3Y6M\smss.exe	winlogon.exe
File opened for modification	C:\Windows\moonlight.dll	service.exe
File opened for modification	C:\Windows\LRX3Y6M\winlogon.exe	service.exe
File opened for modification	C:\Windows\cypreg.dll	system.exe
File opened for modification	C:\Windows\TXJ1F1E.exe	system.exe
File opened for modification	C:\Windows\LRX3Y6M\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\LRX3Y6M\smss.exe	lsass.exe
File opened for modification	C:\Windows\LRX3Y6M\KNK7O5H.com	lsass.exe
File opened for modification	C:\Windows\LRX3Y6M\winlogon.exe	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	1b251af519386823ce936c4742f4e720N.exe
File opened for modification	C:\Windows\LRX3Y6M\winlogon.exe	1b251af519386823ce936c4742f4e720N.exe
File opened for modification	C:\Windows\LRX3Y6M\regedit.cmd	service.exe
File opened for modification	C:\Windows\LRX3Y6M\service.exe	winlogon.exe
File opened for modification	C:\Windows\LRX3Y6M\KNK7O5H.com	winlogon.exe
File opened for modification	C:\Windows\moonlight.dll	smss.exe
File opened for modification	C:\Windows\LRX3Y6M\smss.exe	smss.exe
File created	C:\Windows\MooNlight.txt	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1660	1b251af519386823ce936c4742f4e720N.exe
2820	service.exe
2840	system.exe
2628	winlogon.exe
1548	lsass.exe
2736	smss.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2820	1660	1b251af519386823ce936c4742f4e720N.exe	30
PID 1660 wrote to memory of 2820	1660	1b251af519386823ce936c4742f4e720N.exe	30
PID 1660 wrote to memory of 2820	1660	1b251af519386823ce936c4742f4e720N.exe	30
PID 1660 wrote to memory of 2820	1660	1b251af519386823ce936c4742f4e720N.exe	30
PID 1660 wrote to memory of 2736	1660	1b251af519386823ce936c4742f4e720N.exe	31
PID 1660 wrote to memory of 2736	1660	1b251af519386823ce936c4742f4e720N.exe	31
PID 1660 wrote to memory of 2736	1660	1b251af519386823ce936c4742f4e720N.exe	31
PID 1660 wrote to memory of 2736	1660	1b251af519386823ce936c4742f4e720N.exe	31
PID 1660 wrote to memory of 2840	1660	1b251af519386823ce936c4742f4e720N.exe	32
PID 1660 wrote to memory of 2840	1660	1b251af519386823ce936c4742f4e720N.exe	32
PID 1660 wrote to memory of 2840	1660	1b251af519386823ce936c4742f4e720N.exe	32
PID 1660 wrote to memory of 2840	1660	1b251af519386823ce936c4742f4e720N.exe	32
PID 1660 wrote to memory of 2628	1660	1b251af519386823ce936c4742f4e720N.exe	33
PID 1660 wrote to memory of 2628	1660	1b251af519386823ce936c4742f4e720N.exe	33
PID 1660 wrote to memory of 2628	1660	1b251af519386823ce936c4742f4e720N.exe	33
PID 1660 wrote to memory of 2628	1660	1b251af519386823ce936c4742f4e720N.exe	33
PID 1660 wrote to memory of 1548	1660	1b251af519386823ce936c4742f4e720N.exe	34
PID 1660 wrote to memory of 1548	1660	1b251af519386823ce936c4742f4e720N.exe	34
PID 1660 wrote to memory of 1548	1660	1b251af519386823ce936c4742f4e720N.exe	34
PID 1660 wrote to memory of 1548	1660	1b251af519386823ce936c4742f4e720N.exe	34

C:\Users\Admin\AppData\Local\Temp\1b251af519386823ce936c4742f4e720N.exe
"C:\Users\Admin\AppData\Local\Temp\1b251af519386823ce936c4742f4e720N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\LRX3Y6M\service.exe
  "C:\Windows\LRX3Y6M\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2820
- C:\Windows\LRX3Y6M\smss.exe
  "C:\Windows\LRX3Y6M\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2736
- C:\Windows\LRX3Y6M\system.exe
  "C:\Windows\LRX3Y6M\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2840
- C:\Windows\LRX3Y6M\winlogon.exe
  "C:\Windows\LRX3Y6M\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2628
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Pictures\My Pictures.exe

Filesize
2.0MB

MD5
4f2ef0f74ef46ef469efe5a2ccf312e8

SHA1
72df2dd0c327dc381dbfcf9251ba0332096f23f9

SHA256
e8edc5bf22dbfc2feec18f899e59e54bd65a3355169d3305e0b35022498a45df

SHA512
fe55766020152e0cbee9b2b08daafdf7519af67e3cf1b094d36fbea1b66cba231693adabb9f4095b4ca91f91441c00b99a80c8e7cab41bd5ee215e8a33a0b47d

Download Submit
C:\Windows\LRX3Y6M\KNK7O5H.com

Filesize
2.0MB

MD5
769d3ca2b74c64884aee30f85e315ab0

SHA1
a26ce1973c0e476681d13926cb5ab88de08b943d

SHA256
a84ce73bb695616a530a0bb15b5b2f3e65ff7b06a2445cf8a8ff5a5ac0fd5937

SHA512
04a20b40de26c97adcd3c31fef46951125de6ea1606b571e421c9cc92cbffb9ba5ec90040b16628ddd597b3912e7c3cf70602b8df6da03715a5a8fcd74aecb54

Download Submit
C:\Windows\LRX3Y6M\KNK7O5H.com

Filesize
2.0MB

MD5
ffaec9a378f1990473b468a9827f0d2f

SHA1
3dc2003fba43b2e3c124200472907c182f16079d

SHA256
e5ccbbbb72923d48cf9a55c6813df646b4a4014384d5f63e32c2b9e06137dd2e

SHA512
00fc5ebcfbb31c6c23f36327f4ebc8bd962502345304948625ce047b7f3003b70db69dd1a92712dafb1eb129c04f92c79b398b34b0d936ac0a489a803daa3173

Download Submit
C:\Windows\LRX3Y6M\regedit.cmd

Filesize
2.0MB

MD5
da9b30b4e82100112e21df4acdd8027e

SHA1
2ff756b5ed79e0f3d3ad4b12d00617bdc7d4b074

SHA256
6dc44eb2b7869eec390eef2556b6e0ba05780a57a31b504b902c3adec1fca845

SHA512
d73debba5c90998bf5d30bdc8c7af47494cf56fafa3b6cd4f4a0c203b5001681d75b77f635080538fb725c643acdb52716bcd141b5f951861f9a4da10e718fee

Download Submit
C:\Windows\LRX3Y6M\service.exe

Filesize
2.0MB

MD5
84949feae5611ca2e0737ac8f4473b5a

SHA1
539599a593715db3d5acac2c5f104bfe95ab2d8f

SHA256
6c373b2fe3f2b3d583ebe5ddbfce3a3227f6b7170ba576ce69a4576a72592c1c

SHA512
bdcccffba3f5293a929f9c29e6f6658c98ebb90b3cf0e80d72f85bf252c4a1f1af44f041f1b5a04fc41b1df7723aeb4393d379165a2c2d22460dde74e9b7f4c9

Download Submit
C:\Windows\LRX3Y6M\smss.exe

Filesize
2.0MB

MD5
6b43155a93c55d3d19177b8cfae6bcef

SHA1
82f506e064cab0a018e67bec2f139871f85308d8

SHA256
12dbae6fa3300301955d6950d1b6701052c350ed0ad2c3fdf751a91fcc9a3422

SHA512
b9ad4aab2e0e370c3dd3d5131431ecebd60355b92c61be7579e532014822a43bc326f0f4d994100b9295d990c2f5a22e26a433b5efc3b92a44f7400dfe77b0f0

Download Submit
C:\Windows\LRX3Y6M\winlogon.exe

Filesize
2.0MB

MD5
45bd525df5621ea968c18cc4240b8856

SHA1
dd5066077d265d322eb53e87224d76806f0d0de6

SHA256
dab17e9db96bd4ca5c215ecb9816084773ba8c44347db1b5843866986dae97df

SHA512
f1847e2f294eaf708291a475047b9eee0ff99072b4c6db8dcc3fa9658ca1e59b3afd7d8ddc8b0ea56815b325d3ac330ea37be0063dcbe2ccee7579449ea024e5

Download Submit
C:\Windows\NQD6L0Q.exe

Filesize
2.0MB

MD5
5cbca9b81e844c50c12b89f887679e0d

SHA1
461f13c4e66dafa51f05ca6ef5ba2adc24e8ee52

SHA256
a448d5aa1f80399c91eeae9c46586c370715e3ac4772a60033b8b4e9123627df

SHA512
b7ef4d6649a4b7979c3ac935694acfc0f8281d04f7b1404752cca3e774e1d8a486cd364a2f1622cd3c43a845aeb79766f81e5878b1d4f6030342875d2373bf23

Download Submit
C:\Windows\NQD6L0Q.exe

Filesize
2.0MB

MD5
e46cbee09e2318139c681ad701184d61

SHA1
1d480705ce0f025e37aabde4af11011418ac1ecb

SHA256
c8ead78be2cbf747f7f844d75834f30fd84625870b37ed0893970c97065522f5

SHA512
8a1987853f374a8c8609016d80614842b6606651cdb4eff5d78aa13f63b19ef219256a69c8e24d6a7731208c87a0a80ab056ea0ed3ea49168601c5ffaa5d712c

Download Submit
C:\Windows\NQD6L0Q.exe

Filesize
2.0MB

MD5
2c33b38ce4ab91e72e010cd53a85f2e3

SHA1
63bdfc7435c163ee52555be3f99edcda8b1e747b

SHA256
c9a896aea5b96e59c5f853067175f6f0ecf5a5e7b5b56161e7ee700a5dd193d5

SHA512
ae06a2f5bfb5b754341891e4c31c98457ebe00add105c8b8c8ad183b5b600362fe4e555eb429bd38e936e42b41f921b4e5fc9be226bdd1386c6ef6d06a510196

Download Submit
C:\Windows\SysWOW64\TSW3E2O.exe

Filesize
2.0MB

MD5
cd8dc828a89e641492f179256e8d3ef5

SHA1
3801749c41092e2547ef5c9423d0c4942dca3f8c

SHA256
618ba5f0edac2ad7d975430438b5c1bd02e51254663751568ced0ae3af700d06

SHA512
9dad8758aaa50f51f1d460ca2290889da247b795e288bc8348bbad1a87fec5d3355b2880cb56361beed05dd0c24276fbb1b8271540f2e18d18a9df60caf12d11

Download Submit
C:\Windows\SysWOW64\TSW3E2O.exe

Filesize
2.0MB

MD5
8a5e940fc198fdc348bd31f610359eee

SHA1
7c89ba50ec445382ae8c4195b6b4496bf6000673

SHA256
73714d272de0052184ddb24c4864880d76255888eef4625d22a118ec43f0a206

SHA512
968af01310255155dddf0dd18b3bab1d8db15a65f059b54f1adeb98220907220732ed86aa22d9be4513402e1946cb381d2d440dc4a076555ef3c38c22bd2fa87

Download Submit
C:\Windows\SysWOW64\WRQ2X8STXJ1F1E.exe

Filesize
2.0MB

MD5
17ea37bbf46436589fc204b45c881fdb

SHA1
c701d860cf9020c84a9d032743f1b5b516295907

SHA256
ae3cb8679ad8af9ac7b911fb841365cb9d4d91f06880983921350d3645b80179

SHA512
8336ea1f9a95f85803f5ac01765f1a1dbe1fb4fddcb609defcc0f08de3000a29ff3c936dcf65469d69b1f51790f8c0e1e850630326c915d7a3be8938e5f20a83

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
03665513a52cee65415a09c879ef5881

SHA1
6b5efc7a57f9f0b3eef7213d8a2b67e451459749

SHA256
7b391e0fa876de848596c0212c65c44d5206be98de0160037092375c97f688b3

SHA512
16ed9521ddd1fb87698b166d8f4bd52f6fd4233b11b9b90ebd2a1d41422c6fb4a7809e121be7449f11d9efaa5c287d4f2edbc80e6342c31e1e98f048a2abb1d3

Download Submit
C:\Windows\TXJ1F1E.exe

Filesize
2.0MB

MD5
172cdeb450db9ddbdea2ffd43f12c20e

SHA1
b9b75b205d57d9918394571cc4eef5fd2387387a

SHA256
cd377484f72fea2131843eae73eab22594394c013f30e2e112dc7d52f632d06c

SHA512
3797a736413293397f44158fee72d4a82ab01b612a73574ff3b9e5318ef356fb6d913103e5e087d824ef9a01854bcd69e31e13ecb0bf0aee1cc670dfe742f338

Download Submit
C:\Windows\TXJ1F1E.exe

Filesize
2.0MB

MD5
26b4fd683efe2159b52dca2ae2e3fdf7

SHA1
4fc6ddd2a5f6908583320da2ac74051e324c33ae

SHA256
fa8bae524c648632686be9dd91387bf86a7cd50a01f02d3eff57244543c85e1e

SHA512
4120fe3eee6c5ebc91bd135f51f2899a436047673dbfbcf3deb34b26d8b60b06000b79d0f7ec00a9dfc288f91772d7babf7fe82451919f68f9ee15d6fede698e

Download Submit
C:\Windows\TXJ1F1E.exe

Filesize
2.0MB

MD5
b3784c8367ec20493dcd6ee8a7b7c2a8

SHA1
a485c956693a06585b86b865ebd38bfb2764db27

SHA256
8f1ca143d52f9290431f15503db5d11ff4ef92944140550bcba86c244c361f94

SHA512
546352892f526fd61099443ac740e7f25948aa564048d4862e14f5a97203055157989cfaadb7738e71ddf24166a9f67ab6c45073994d8d612519385c80870b07

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
e9451860cfa19590dcf5765445c4fe6a

SHA1
64833587ca65612a92dc069b2a5944e9d75b12c2

SHA256
88cd19c8dc10e27a72bc776bf00907ac8670f80d2dda89c155678e581578301a

SHA512
bb8da8ae3a7a5cbd392c3d350554b9ad9ec2d53a27fad5d85f181e9ffc8e4c255c2e502046ac757b75b418d36a4faeeb4148361b748284b82ae00e4e8ca918fc

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
afc4f1b045476f92e0454b2b9e7a8084

SHA1
b8492feb7bc365eba6aa3ef4acbe93a3829bcc6b

SHA256
405e631e5b06e18fd4530857ac0a3c3b89ada9cad812fa21f0b12e4d7a573dcb

SHA512
44ce557e30f6814476747f42d7abe4c63ad2d67c969d3e591144a7c905ff73a949a655b1bf5c71f8532ac82040a130dea81a7f459ca8287b59ab06379d3c66e8

Download Submit
C:\Windows\lsass.exe

Filesize
2.0MB

MD5
1b01116f9a53ed3d311d7236bc96b742

SHA1
50e735808c25997f28401064710db3aafd94a5e9

SHA256
28589d55618766cd00290a8f57fefa26e39cd452eb0766c0a0b3834734ab188f

SHA512
3b237cd4b71ed37f952d40f2a89ff6edb0bbf3bc648f5f91b397e3f9f0d0b42d9e49fb0be2da9a63983d3e81b9d5cd85be9f20129661df31289b7aa1bb1d6dee

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
8e6e31f8df128a746ff9a3a38f8f78c0

SHA1
e4da9aa336eb7e254592e585b29d8b4e23f3e4bd

SHA256
dc33796b634ea14ed80a492257f698d103a57e1a041ccab92945efa8201a65f7

SHA512
eddacadcb86d8ead42185af5ce779f35dcbf262b2e12dc1cb816c3c5e35563201a839b861eb4a2cda472a5a27b2dfb76a0310d6eb94b49e9d5b58af869ef22c6

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.3MB

MD5
23d20fc9831ebc461826788cea9af7a8

SHA1
55c817767bbe46e80003806501368d5b9310bfdf

SHA256
fd70d888b164e9545c7faf0955b9d03ae246e2597953978936a41ec0cf6f0260

SHA512
9ee8470991f875f11f7aa6a1a5b5dfdffb3640caab60917f6de51eef028c9af141fc6ed50e2304c6cb2e395f822710271a16d9bc19fe1bb77ec44f7f4147bd40

Download Submit
\Windows\LRX3Y6M\system.exe

Filesize
2.0MB

MD5
c14ac3e084d415e91b3a28ef09f81c61

SHA1
464036f1a862927774db5189171f495de4d93040

SHA256
76e65f1e0282a12253f1d60ab3690bd1b5e44abb0888e6b2172a555984382c24

SHA512
44d90178a291abb3261695a88a330187bea30fbe544324a0e18fa046056c85315b309482152008e75245da417ea340e2141ff4356bb1beb653e72b64c51e31f7

Download Submit
memory/1548-251-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1548-175-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1548-241-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1660-174-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1660-0-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1660-177-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1660-65-0x00000000033D0000-0x0000000003421000-memory.dmp

Filesize
324KB

Download
memory/1660-71-0x00000000033D0000-0x0000000003421000-memory.dmp

Filesize
324KB

Download
memory/1660-48-0x00000000033C0000-0x0000000003411000-memory.dmp

Filesize
324KB

Download
memory/2628-249-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2628-126-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2628-299-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2628-289-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2628-237-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2628-284-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2628-279-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2628-265-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2628-260-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2628-255-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2628-250-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2736-66-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2736-235-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2820-56-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2820-233-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2840-248-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2840-245-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2840-78-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2840-243-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2840-244-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2840-242-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2840-278-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2840-236-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads