6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Size

91KB
MD5

6f6dd0f5946e5941ce684aa25d0d55a0
SHA1

b9864560bda81cd4e8d5b3b3b69a466801b59c24
SHA256

6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6
SHA512

878c44a30eaf541b01825a0c78966ae2b788dd8751ecbfb50e35fb05eab93353ce6a9c2797ce7bedb5936347b8d4effbe4cad5211dfe8a4584267135559668ea
SSDEEP

1536:QRsjdIZfaif4YrxCjjKnouy8VzVRsjdIZfaif4YrxCjjKnouy8VzK:QOyZy9wCjOouttVOyZy9wCjOouttK

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
1648	xk.exe
1444	IExplorer.exe
2896	WINLOGON.EXE
1388	CSRSS.EXE
836	SERVICES.EXE
1244	LSASS.EXE
2004	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2888-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000018b68-8.dat	upx
behavioral1/files/0x0008000000019240-111.dat	upx
behavioral1/memory/1648-112-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1648-116-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001961e-117.dat	upx
behavioral1/memory/2888-119-0x00000000004B0000-0x00000000004DF000-memory.dmp	upx
behavioral1/memory/1444-128-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00050000000196a1-129.dat	upx
behavioral1/files/0x0005000000019926-140.dat	upx
behavioral1/memory/2896-143-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1388-150-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2888-149-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1388-153-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019c34-154.dat	upx
behavioral1/memory/836-163-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019c3c-165.dat	upx
behavioral1/memory/1244-176-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019c3e-177.dat	upx
behavioral1/memory/2004-184-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2888-190-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2004-189-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
File created	C:\Windows\SysWOW64\shell.exe	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
File created	C:\Windows\SysWOW64\Mig2.scr	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
File created	C:\Windows\xk.exe	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
1648	xk.exe
1444	IExplorer.exe
2896	WINLOGON.EXE
1388	CSRSS.EXE
836	SERVICES.EXE
1244	LSASS.EXE
2004	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 1648	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	30
PID 2888 wrote to memory of 1648	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	30
PID 2888 wrote to memory of 1648	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	30
PID 2888 wrote to memory of 1648	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	30
PID 2888 wrote to memory of 1444	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	31
PID 2888 wrote to memory of 1444	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	31
PID 2888 wrote to memory of 1444	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	31
PID 2888 wrote to memory of 1444	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	31
PID 2888 wrote to memory of 2896	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	32
PID 2888 wrote to memory of 2896	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	32
PID 2888 wrote to memory of 2896	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	32
PID 2888 wrote to memory of 2896	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	32
PID 2888 wrote to memory of 1388	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	33
PID 2888 wrote to memory of 1388	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	33
PID 2888 wrote to memory of 1388	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	33
PID 2888 wrote to memory of 1388	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	33
PID 2888 wrote to memory of 836	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	34
PID 2888 wrote to memory of 836	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	34
PID 2888 wrote to memory of 836	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	34
PID 2888 wrote to memory of 836	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	34
PID 2888 wrote to memory of 1244	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	35
PID 2888 wrote to memory of 1244	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	35
PID 2888 wrote to memory of 1244	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	35
PID 2888 wrote to memory of 1244	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	35
PID 2888 wrote to memory of 2004	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	36
PID 2888 wrote to memory of 2004	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	36
PID 2888 wrote to memory of 2004	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	36
PID 2888 wrote to memory of 2004	2888	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe	36

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe

C:\Users\Admin\AppData\Local\Temp\6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe
"C:\Users\Admin\AppData\Local\Temp\6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2888
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1648
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1444
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2896
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1388
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:836
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1244
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
6f6dd0f5946e5941ce684aa25d0d55a0

SHA1
b9864560bda81cd4e8d5b3b3b69a466801b59c24

SHA256
6ddaaa257c1c760cc3ef8863cf34edfaee8bc690d7c02449a0d590d38b43e6b6

SHA512
878c44a30eaf541b01825a0c78966ae2b788dd8751ecbfb50e35fb05eab93353ce6a9c2797ce7bedb5936347b8d4effbe4cad5211dfe8a4584267135559668ea

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
65e573d3027a6dafbf453d6229cc475b

SHA1
08d466ae31e363744a759dd3b6a37c32d524750e

SHA256
051a54aa6b8ef06ebb69d8c3f73eb71a7064ca81667364bdbdf7286660c7b1eb

SHA512
fa9c73bc1fb8d0f3b85620efb14537953b2812f3d2e1693f0a995aca1f06eb70397940ce0ddba395a57306f572972b655bb5a462c1da715c818ef989a340186a

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
5ffefae4938f06d0df3080dd8c048192

SHA1
f7f0a21436683ea7b78af2f2f418257b6680930b

SHA256
808dc02eb28ad2ee310b90fa0a5a6db58bb92aafe3c98a1769761d624708e715

SHA512
fea81e2cb9cad7cfd9abf2c096b3c4601d59ff97ed3265aac7199e7c078a930102303d96335c03435af654bc4031ad87fda7219c1347537fa52e40809ca43b27

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
f3dfedf418b001168d1642827ef46f72

SHA1
0985c0413f360ca8429d2084165120a883bbf5c4

SHA256
daeea8519da291a6aebbff4a7c98ecbadaa7e2b178627411f1ee5643693713f4

SHA512
87aeef6db0e98a945d97445530d38a94584c1f0782edcd59b5b4dbec09e5549c5f0fdcc2943941989016e97f1f1546258fe7350a0ef3ec3ffdb43fee65eca8dd

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
9dbeeae082342c9ea7cf496bbf9969ac

SHA1
0a69b3583e6c264bf66b3b549d621df5c53a6d90

SHA256
658dff65fdf9d68c400f5e7e3ab24c4a3a519173cf1487d69ffd9d6e9e570c33

SHA512
64b177b9c13afe83218cecc6a1f6be8f23f7d2a03662d8a4bc90a4f0cea8e5461a69733c677c9f2b43693009ae7cdfffe34c9029e0d2accd10d400691f62f231

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
c3638dedd1fe857224013af0a414592d

SHA1
c5362fd0826794db41b155baa206bc4bec2da509

SHA256
96faa4728f12b0e4f77a2bd29e1675bc2b722bb471d593fe71a410f69f64a72f

SHA512
dd53bb7855a7659618fd92faf9b457a9c6b9b4066d19f0cf7cb1faa381c858cb74c3b8af8eaf9b34114e5078589c0841a5b1a71acca1c81b50ee09dce16fba5c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
c35aad72b94e10670e3cc9eb4b6b311b

SHA1
97d9276c1a74d0e4d99b217da9aca1e0a0f8e2a6

SHA256
bf8e19172a8f7e9aa28b0b70c48b968ce2e09b45c4ff6d3ac6288c1bbf83790c

SHA512
16283ec3693b1aaf05a8ff15ec5e2b63c59433306cb5696f0fa49fd74c3015d5bb87e231908e5bbde2a5113579796fd99502a12b1ac197a7e400b71232e1c9d8

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
75951f8e7ccc283dbdda76fa9ccf4a0a

SHA1
1b5b505ef43519e736350fcf927d3b31be7314c1

SHA256
21c5daee5da116430259fc1011ede3b43139392f3c60d53271c57883bdc34cd2

SHA512
ee18c38a5c72bfb0244812bdb117a20eff1e7424e556faa7f92758ca0db17b4a0d75e4c726bdaf904ee3c024af8dc7d371e9fbd83750f1da3c5f8a515f2a5cca

Download Submit
memory/836-163-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1244-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1388-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1388-153-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1444-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2004-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2004-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2888-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2888-109-0x00000000004B0000-0x00000000004DF000-memory.dmp

Filesize
188KB

Download
memory/2888-125-0x00000000004B0000-0x00000000004DF000-memory.dmp

Filesize
188KB

Download
memory/2888-119-0x00000000004B0000-0x00000000004DF000-memory.dmp

Filesize
188KB

Download
memory/2888-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2888-172-0x00000000004B0000-0x00000000004DF000-memory.dmp

Filesize
188KB

Download
memory/2888-168-0x00000000004B0000-0x00000000004DF000-memory.dmp

Filesize
188KB

Download
memory/2888-134-0x00000000004B0000-0x00000000004DF000-memory.dmp

Filesize
188KB

Download
memory/2888-136-0x00000000004B0000-0x00000000004DF000-memory.dmp

Filesize
188KB

Download
memory/2888-190-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2888-110-0x00000000004B0000-0x00000000004DF000-memory.dmp

Filesize
188KB

Download
memory/2896-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download