e90d30455cb81e4e9c86efc71795ea8d0515ba3ca09db7fc772370b80ad3c499

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07/08/2024, 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

499497eb0b313f9acc8c6b5f0d493d00N.exe
Size

196KB
MD5

499497eb0b313f9acc8c6b5f0d493d00
SHA1

98524b17547455f007eda62522841433b43060af
SHA256

e90d30455cb81e4e9c86efc71795ea8d0515ba3ca09db7fc772370b80ad3c499
SHA512

0345157e3a68b25aa2cae46c05e2df24e8c4c0afb06d4d2eb5d28a99e528eb3a93def313a264b9feb93691d7cf0092f051aa1c83bbbcebccae8fad2128d5a5c7
SSDEEP

3072:ZOgUXoutNAxZVX4/awxfodLJUBv9Bsor1rHjhMU9npQQpmuG:ZFYoS2RARoYlld9n2Qpmx

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	499497eb0b313f9acc8c6b5f0d493d00N.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	499497eb0b313f9acc8c6b5f0d493d00N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	499497eb0b313f9acc8c6b5f0d493d00N.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	499497eb0b313f9acc8c6b5f0d493d00N.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2180	xk.exe
860	IExplorer.exe
580	WINLOGON.EXE
2868	CSRSS.EXE
2880	SERVICES.EXE
2288	LSASS.EXE
640	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1672	499497eb0b313f9acc8c6b5f0d493d00N.exe
1672	499497eb0b313f9acc8c6b5f0d493d00N.exe
1672	499497eb0b313f9acc8c6b5f0d493d00N.exe
1672	499497eb0b313f9acc8c6b5f0d493d00N.exe
1672	499497eb0b313f9acc8c6b5f0d493d00N.exe
1672	499497eb0b313f9acc8c6b5f0d493d00N.exe
1672	499497eb0b313f9acc8c6b5f0d493d00N.exe
1672	499497eb0b313f9acc8c6b5f0d493d00N.exe
1672	499497eb0b313f9acc8c6b5f0d493d00N.exe
1672	499497eb0b313f9acc8c6b5f0d493d00N.exe
1672	499497eb0b313f9acc8c6b5f0d493d00N.exe
1672	499497eb0b313f9acc8c6b5f0d493d00N.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	499497eb0b313f9acc8c6b5f0d493d00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	499497eb0b313f9acc8c6b5f0d493d00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	499497eb0b313f9acc8c6b5f0d493d00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	499497eb0b313f9acc8c6b5f0d493d00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	499497eb0b313f9acc8c6b5f0d493d00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	499497eb0b313f9acc8c6b5f0d493d00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	499497eb0b313f9acc8c6b5f0d493d00N.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1672-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00080000000164cf-8.dat	upx
behavioral1/files/0x0007000000016c03-109.dat	upx
behavioral1/memory/2180-114-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019272-115.dat	upx
behavioral1/memory/860-124-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/860-127-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019309-128.dat	upx
behavioral1/memory/580-137-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/580-141-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019346-142.dat	upx
behavioral1/memory/2868-151-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2868-154-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019358-155.dat	upx
behavioral1/memory/1672-162-0x0000000002580000-0x00000000025AF000-memory.dmp	upx
behavioral1/memory/2880-165-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019368-166.dat	upx
behavioral1/memory/2288-176-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019385-177.dat	upx
behavioral1/memory/1672-186-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/640-191-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1672-192-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	499497eb0b313f9acc8c6b5f0d493d00N.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	499497eb0b313f9acc8c6b5f0d493d00N.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	499497eb0b313f9acc8c6b5f0d493d00N.exe
File created	C:\Windows\SysWOW64\shell.exe	499497eb0b313f9acc8c6b5f0d493d00N.exe
File created	C:\Windows\SysWOW64\Mig2.scr	499497eb0b313f9acc8c6b5f0d493d00N.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	499497eb0b313f9acc8c6b5f0d493d00N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	499497eb0b313f9acc8c6b5f0d493d00N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	499497eb0b313f9acc8c6b5f0d493d00N.exe
File created	C:\Windows\xk.exe	499497eb0b313f9acc8c6b5f0d493d00N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	499497eb0b313f9acc8c6b5f0d493d00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	499497eb0b313f9acc8c6b5f0d493d00N.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	499497eb0b313f9acc8c6b5f0d493d00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	499497eb0b313f9acc8c6b5f0d493d00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	499497eb0b313f9acc8c6b5f0d493d00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	499497eb0b313f9acc8c6b5f0d493d00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	499497eb0b313f9acc8c6b5f0d493d00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	499497eb0b313f9acc8c6b5f0d493d00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	499497eb0b313f9acc8c6b5f0d493d00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	499497eb0b313f9acc8c6b5f0d493d00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	499497eb0b313f9acc8c6b5f0d493d00N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1672	499497eb0b313f9acc8c6b5f0d493d00N.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1672	499497eb0b313f9acc8c6b5f0d493d00N.exe
2180	xk.exe
860	IExplorer.exe
580	WINLOGON.EXE
2868	CSRSS.EXE
2880	SERVICES.EXE
2288	LSASS.EXE
640	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2180	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	30
PID 1672 wrote to memory of 2180	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	30
PID 1672 wrote to memory of 2180	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	30
PID 1672 wrote to memory of 2180	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	30
PID 1672 wrote to memory of 860	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	31
PID 1672 wrote to memory of 860	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	31
PID 1672 wrote to memory of 860	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	31
PID 1672 wrote to memory of 860	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	31
PID 1672 wrote to memory of 580	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	32
PID 1672 wrote to memory of 580	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	32
PID 1672 wrote to memory of 580	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	32
PID 1672 wrote to memory of 580	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	32
PID 1672 wrote to memory of 2868	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	33
PID 1672 wrote to memory of 2868	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	33
PID 1672 wrote to memory of 2868	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	33
PID 1672 wrote to memory of 2868	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	33
PID 1672 wrote to memory of 2880	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	34
PID 1672 wrote to memory of 2880	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	34
PID 1672 wrote to memory of 2880	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	34
PID 1672 wrote to memory of 2880	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	34
PID 1672 wrote to memory of 2288	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	35
PID 1672 wrote to memory of 2288	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	35
PID 1672 wrote to memory of 2288	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	35
PID 1672 wrote to memory of 2288	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	35
PID 1672 wrote to memory of 640	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	36
PID 1672 wrote to memory of 640	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	36
PID 1672 wrote to memory of 640	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	36
PID 1672 wrote to memory of 640	1672	499497eb0b313f9acc8c6b5f0d493d00N.exe	36

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	499497eb0b313f9acc8c6b5f0d493d00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	499497eb0b313f9acc8c6b5f0d493d00N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	499497eb0b313f9acc8c6b5f0d493d00N.exe

C:\Users\Admin\AppData\Local\Temp\499497eb0b313f9acc8c6b5f0d493d00N.exe
"C:\Users\Admin\AppData\Local\Temp\499497eb0b313f9acc8c6b5f0d493d00N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1672
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2180
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:860
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:580
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2868
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2880
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2288
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
196KB

MD5
499497eb0b313f9acc8c6b5f0d493d00

SHA1
98524b17547455f007eda62522841433b43060af

SHA256
e90d30455cb81e4e9c86efc71795ea8d0515ba3ca09db7fc772370b80ad3c499

SHA512
0345157e3a68b25aa2cae46c05e2df24e8c4c0afb06d4d2eb5d28a99e528eb3a93def313a264b9feb93691d7cf0092f051aa1c83bbbcebccae8fad2128d5a5c7

Download Submit
C:\Windows\xk.exe

Filesize
196KB

MD5
8f42064fee33eace09c402bd97522d53

SHA1
0bb7f79d25e539e668664e3211dd2ace76eab509

SHA256
c322c78521009744fb72d859dbd679c5ccc31d9665720e834d2197e8d7c81558

SHA512
357e001073d7b2b06363a81d1cac14353bcdedeece7ff44f7b1abe6f912448f424bdf27dd990c8b27a60bd8378f63d696728d5655c3ab116f30919f01426be5c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
196KB

MD5
a3d6ba97e028949e2cb2bc6c442ba8b4

SHA1
23e253c3d5ef1966ebead7a9333a0494df0637b6

SHA256
abc08b99a2989b019a8ced71767ceb115ee0709ea67eaaf86c31f5918c8ed5c6

SHA512
5dd1734d522bfc1a81e7b16034995ac74035c1e21d765c2ba1dccbce0a3688674c906c92602dd4fc35e718263cb8725d6ac44adafb265da2763673de13ddcf97

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
196KB

MD5
e3d73bd201754ee407a1d0ef72553657

SHA1
7ad154e9ca3314dd99fa13820f087e84a591e017

SHA256
a534e46784b880ff63548facde407b3c00e32be6204442910e9a0bd9323bc4e2

SHA512
27dd5bf42c7d60529cb6e7470904ace4e844dea50a5112aaf6bb5347a64192fe6370c4b35fce5be471d211ed35af4b2195a2a57565469f02d1c7c5395b27b3ab

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
196KB

MD5
b9de8b6357a6409c7326e10620f9177f

SHA1
302202a52a9bacab94a31b776206d0b446b748cd

SHA256
dd2f26fd15209efb0c19d7ba172c0846798d48a9d601bc53ca9ce786b8e33608

SHA512
f1f54de789b0adbadadb9981fa1c9721b8194ce226d2618bedf83b363160ca81637ea3cec6f7cbbe07e60c72a4ad3b1a757a7be66b99b877833540f3f63d0203

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
196KB

MD5
1c00633320cfb06575ab35c417bfbc3d

SHA1
fe1f9bb86e4b91c95fbb6fbdb8b7f6a52923f0e9

SHA256
f196b92c08aa07abdd491ec823171c57b78cc2df00ee7fb253d08997e03b1f95

SHA512
bdc3cab2ac2fa6dfd8624a9f8a4ffbe567a06671334746e6eec2497811d6303104080937284a2f5017f13a941788a525601ca7ffd9770b25147323619354f19c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
196KB

MD5
7ae3c577f2546e41a533a7d93c1931ad

SHA1
8e5b4b2a132a7a542eb2a19553af4aa8358709c0

SHA256
605b08de26f341191628d1925a1119f95cf3466ece7e15370f3873d8fdcb8efd

SHA512
a9ab046ac5503e831121da1a9c040302eb7e3e15cfee69477cf0a32bd1982f03fa20276fe7ce2d68c6cc4c29f7337121c052f848d59d29b4cb9d904ad5a91ec8

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
196KB

MD5
542e9e2d18859ccf588fda34989122b0

SHA1
ab8d1b6e2ec955eb05bd610264ef359907c225e0

SHA256
09fb7f40caab7ff012560c36dfcd0a49a51453f41e0d40ef2bdcd7f73d7e39fc

SHA512
15a3e7a3bce93529887da019612bf8942c1012f89415fe179659c20efd9e709f931a415b31f9f3ba4c701ad9ee959423ba7686bb575df6f90fe6dd438f4a27d3

Download Submit
memory/580-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/580-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/640-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/860-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/860-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-162-0x0000000002580000-0x00000000025AF000-memory.dmp

Filesize
188KB

Download
memory/1672-150-0x0000000002580000-0x00000000025AF000-memory.dmp

Filesize
188KB

Download
memory/1672-136-0x0000000002580000-0x00000000025AF000-memory.dmp

Filesize
188KB

Download
memory/1672-110-0x0000000002580000-0x00000000025AF000-memory.dmp

Filesize
188KB

Download
memory/1672-111-0x0000000002580000-0x00000000025AF000-memory.dmp

Filesize
188KB

Download
memory/1672-149-0x0000000002580000-0x00000000025AF000-memory.dmp

Filesize
188KB

Download
memory/1672-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-122-0x0000000002580000-0x00000000025AF000-memory.dmp

Filesize
188KB

Download
memory/1672-135-0x0000000002580000-0x00000000025AF000-memory.dmp

Filesize
188KB

Download
memory/1672-184-0x0000000002580000-0x00000000025AF000-memory.dmp

Filesize
188KB

Download
memory/1672-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-183-0x0000000002580000-0x00000000025AF000-memory.dmp

Filesize
188KB

Download
memory/1672-123-0x0000000002580000-0x00000000025AF000-memory.dmp

Filesize
188KB

Download
memory/2180-114-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2288-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-154-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2868-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2880-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download