6fb537b8af964cd320bd7e7bba534ae4af3b8aedf5fc0a388b12f2ef27adf9a0

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 14:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

01e04c58ed14a215b0b20487ba941810N.exe
Size

170KB
MD5

01e04c58ed14a215b0b20487ba941810
SHA1

ce42fdf609059e8ad2b9841e621c1748de007f01
SHA256

6fb537b8af964cd320bd7e7bba534ae4af3b8aedf5fc0a388b12f2ef27adf9a0
SHA512

0a1983a99e7f7794fcd035ce5eacb1f44ad3f3b437d9d954bcff8ce2d9f981674dc3cf906090e8b11538005eddb16ffd0d49b21a00816fc8467599634fd3faf8
SSDEEP

3072:WCcKpzOpm3uKQCDWeyDKVPy7THK4WZZzUR9Lr0lQbX:H7zOSuccuVqfp2+Se

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\\LDJ2T8C.exe\""	lsass.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	lsass.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000016848-106.dat	acprotect

Executes dropped EXE 3 IoCs

pid	Process
2772	service.exe
2792	smss.exe
2436	lsass.exe

Loads dropped DLL 4 IoCs

pid	Process
2988	01e04c58ed14a215b0b20487ba941810N.exe
2988	01e04c58ed14a215b0b20487ba941810N.exe
2988	01e04c58ed14a215b0b20487ba941810N.exe
2988	01e04c58ed14a215b0b20487ba941810N.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016848-106.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\sHN3Y5H0 = "C:\\Windows\\system32\\NIG8N4IJOX6T6R.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0T8COX = "C:\\Windows\\EGQ3Y5H.exe"	lsass.exe

Drops desktop.ini file(s) 28 IoCs

description	ioc	Process
File created	\??\UNC\WHMFPZKA\X$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\Y$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\F$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\M$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\S$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\G$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\ADMIN$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\V$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\N$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\Q$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\T$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\U$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\E$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\I$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\L$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\B$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\K$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\Z$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\D$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\J$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\O$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\H$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\R$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\W$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\A$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\C$\desktop.ini	lsass.exe
File created	\??\UNC\WHMFPZKA\P$\desktop.ini	lsass.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\V:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\Y:	service.exe

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\TSW3E2O.exe	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\FUV3C4L\NIG8N4I.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\FUV3C4L	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\NIG8N4IJOX6T6R.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\SysWOW64\FUV3C4L\NIG8N4I.cmd	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\NIG8N4IJOX6T6R.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\FUV3C4L	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\SysWOW64\TSW3E2O.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\FUV3C4L	smss.exe
File opened for modification	C:\Windows\SysWOW64\TSW3E2O.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\TSW3E2O.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\FUV3C4L\NIG8N4I.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\FUV3C4L\NIG8N4I.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\FUV3C4L	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\SysWOW64\NIG8N4IJOX6T6R.exe	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\NIG8N4IJOX6T6R.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe

Drops file in Windows directory 61 IoCs

description	ioc	Process
File opened for modification	C:\Windows\cypreg.dll	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\lsass.exe	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}	service.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\LDJ2T8C.exe	service.exe
File opened for modification	C:\Windows\lsass.exe	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\JOX6T6R.exe	service.exe
File created	C:\Windows\MooNlight.R.txt	smss.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\YEY3E1V.com	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	service.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	smss.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\moonlight.dll	smss.exe
File opened for modification	C:\Windows\EGQ3Y5H.exe	lsass.exe
File opened for modification	C:\Windows\moonlight.dll	service.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	service.exe
File opened for modification	C:\Windows\lsass.exe	service.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\YEY3E1V.com	smss.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\JOX6T6R.exe	lsass.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	service.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	smss.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\LDJ2T8C.exe	smss.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\EGQ3Y5H.exe	service.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	smss.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	smss.exe
File opened for modification	C:\Windows\JOX6T6R.exe	smss.exe
File opened for modification	C:\Windows\moonlight.dll	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\YEY3E1V.com	service.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	lsass.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	lsass.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\LDJ2T8C.exe	lsass.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\LDJ2T8C.exe	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	service.exe
File opened for modification	C:\Windows\EGQ3Y5H.exe	smss.exe
File opened for modification	C:\Windows\cypreg.dll	lsass.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\JOX6T6R.exe	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\cypreg.dll	service.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	smss.exe
File opened for modification	C:\Windows\lsass.exe	lsass.exe
File opened for modification	C:\Windows\moonlight.dll	lsass.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	lsass.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	lsass.exe
File opened for modification	C:\Windows\EGQ3Y5H.exe	01e04c58ed14a215b0b20487ba941810N.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	service.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}	smss.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	smss.exe
File opened for modification	C:\Windows\cypreg.dll	smss.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	lsass.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	service.exe
File opened for modification	C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\YEY3E1V.com	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01e04c58ed14a215b0b20487ba941810N.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2988	01e04c58ed14a215b0b20487ba941810N.exe
2772	service.exe
2792	smss.exe
2436	lsass.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2772	2988	01e04c58ed14a215b0b20487ba941810N.exe	31
PID 2988 wrote to memory of 2772	2988	01e04c58ed14a215b0b20487ba941810N.exe	31
PID 2988 wrote to memory of 2772	2988	01e04c58ed14a215b0b20487ba941810N.exe	31
PID 2988 wrote to memory of 2772	2988	01e04c58ed14a215b0b20487ba941810N.exe	31
PID 2988 wrote to memory of 2792	2988	01e04c58ed14a215b0b20487ba941810N.exe	32
PID 2988 wrote to memory of 2792	2988	01e04c58ed14a215b0b20487ba941810N.exe	32
PID 2988 wrote to memory of 2792	2988	01e04c58ed14a215b0b20487ba941810N.exe	32
PID 2988 wrote to memory of 2792	2988	01e04c58ed14a215b0b20487ba941810N.exe	32
PID 2988 wrote to memory of 2436	2988	01e04c58ed14a215b0b20487ba941810N.exe	33
PID 2988 wrote to memory of 2436	2988	01e04c58ed14a215b0b20487ba941810N.exe	33
PID 2988 wrote to memory of 2436	2988	01e04c58ed14a215b0b20487ba941810N.exe	33
PID 2988 wrote to memory of 2436	2988	01e04c58ed14a215b0b20487ba941810N.exe	33

C:\Users\Admin\AppData\Local\Temp\01e04c58ed14a215b0b20487ba941810N.exe
"C:\Users\Admin\AppData\Local\Temp\01e04c58ed14a215b0b20487ba941810N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
  "C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2772
- C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
  "C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2792
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\LDJ2T8C.exe

Filesize
170KB

MD5
053bfe27893ee91184137deb0d035f62

SHA1
d7e955fe9e974ab81a3c1fa5ea4b926612352116

SHA256
1f1652295d34f45feb9329e73533c8554d36b2e3aba41f0aebf444e425deaba1

SHA512
aaf48640ac69ef351885080420dc825d381be8c8a2e55d07a5d1b34850aea14ead016fe60c07bc9445e4f5e51de6029be789a04cfdccc62fcf13e9b722972618

Download Submit
C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\YEY3E1V.com

Filesize
170KB

MD5
b1c77b48c756ae991e8a712bbab3cbd5

SHA1
181d326cf9a010bbbd8c9de5cf4369cd09e921b4

SHA256
f710e20734452faee4ad1170e1024eaa0e3917019abcb85d867e96688d7da3c5

SHA512
5b3c336a1a1deb7ce590d8f7960d0ab87ffcf72284bf4c756ef2b6c7f8e515cbc29f28ca3debacf846cb4930c6a1a4fd43edab2b22ad5025b4035373fe96fe77

Download Submit
C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe

Filesize
170KB

MD5
72581cc2e8adda15f0da2ec019c0277a

SHA1
e28509083d1a0b6da302cca1b3a8433d0e3c8c1a

SHA256
a8fdb485ff9260badb56b17104cc97d8a736224207a921a3d1593b1b7999c849

SHA512
865e4c19a557d2f4af147189458b025809629469935394e8c6acea31a32841611e0aa27c4324c20436a1faa78ec2ec3c225538216bb2ffcd76fe393f8f6d6ade

Download Submit
C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

Filesize
170KB

MD5
6ed4aec437fdfe6c58f9457fcbcaabe8

SHA1
c2b7d5d2e06ed1e4d2c643ee87a2a0d6632cb4b3

SHA256
a91735292d73678073387d77e1bda249a8999c46ee143a1381a5c83a76ff2a1e

SHA512
d9d0c7671c5f57ede37990ddc6d9bd336e8d9012d2c13f96660c5d250cf8366e1411ebd4718aa61564b93b1d58855bfd9818bd3d11ab6b347a4fd07f9115116a

Download Submit
C:\Windows\CHN8O2D.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe

Filesize
170KB

MD5
2124e48b7aafd6c2201cd0cacb7a1af3

SHA1
7b270ac1ec95ba62f3c99b5277143c6f6a47fb77

SHA256
41009a0be3a69b158de671f5d8003a280dd31033ed6f4440bbfec1c362b88bd1

SHA512
45877213abecf5c9e3870a1bd3762309bca1d61aa9d85364f33782376b45f97df6d2ebedc30b80c1dd3782e048cda717849a687a32f760df1adb06b2b3f78c58

Download Submit
C:\Windows\EGQ3Y5H.exe

Filesize
170KB

MD5
c2783a217cccfff8a9877d7cded4a483

SHA1
b7089ebbcb3e2350290e6f80650f252b3a627bee

SHA256
37153ded4020e20c8683b6a92631409282c892f0a2612fbc9b66c8410602ec81

SHA512
3517d156a71b7bcfe6cd4a6caaaca59958db64e149f6c4514ecde32ac3d90db2c9cfc831b48dd419150ca8a37077ca505027945cc28378ac797222d82f6a742b

Download Submit
C:\Windows\EGQ3Y5H.exe

Filesize
170KB

MD5
01e04c58ed14a215b0b20487ba941810

SHA1
ce42fdf609059e8ad2b9841e621c1748de007f01

SHA256
6fb537b8af964cd320bd7e7bba534ae4af3b8aedf5fc0a388b12f2ef27adf9a0

SHA512
0a1983a99e7f7794fcd035ce5eacb1f44ad3f3b437d9d954bcff8ce2d9f981674dc3cf906090e8b11538005eddb16ffd0d49b21a00816fc8467599634fd3faf8

Download Submit
C:\Windows\JOX6T6R.exe

Filesize
170KB

MD5
eef8d7f3078e8dbc6546533aa4e6f37e

SHA1
f6f73a2beb3ea216d3a1d91f41dd0b9be20723e1

SHA256
d614f4bb249ff27d544ed26a5e156f08523f0bd5d1a4ab4c15318ecde1bceaeb

SHA512
70e071cafcd7d56ef8547bdf7d85db797fb49f60ccfc1b99a5b7dc0dff62ee13afe290d67bc25b6cd99a421cc6e5e6d302e751be7d0081e010d8badcdc1a7be0

Download Submit
C:\Windows\SysWOW64\NIG8N4IJOX6T6R.exe

Filesize
170KB

MD5
927f6917099afdfa894e0b2cef70f1a5

SHA1
6e56f82c4910b1d2ccb59ff52bc69c969b76c075

SHA256
59df7d2be3c2666fae62548d05dbbe208994b4ece60b79993e2544aa5d683288

SHA512
9305bfda3921e32fc04cf61d29281441a778dd5e6cca1f1b6b0c6e74076853a0c0c20eeb31d43591752bb9dabae526f7717d9466fcbc2a9f582b9d8159515140

Download Submit
C:\Windows\SysWOW64\TSW3E2O.exe

Filesize
170KB

MD5
ba8306bb068d76bb13a64b1e9fbaf30d

SHA1
052f365d009429983590865ea9a462507b890a5f

SHA256
b3dd1029e9ec2e5d6fe2be7df8d9d4c2074bcc658693b9b2c51b6f32f436b84b

SHA512
05b6b13898d8e29eb5fb2e3e272bd78e48ab6e0f567d440d3c1e7b4cf241a7aa926b9c12c65d0042ba614f732e5f2547d57a469882de60d68cc310243c93aed6

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
7e24384310bf4521ebdfc5fe42bb3256

SHA1
6554bdafdcbe13fcb2cf17a6622f6ef95bd188f6

SHA256
cc6855c92d6e4067f2c988d3424142fd3dc41b1ec2a1afa56ef0b02d709f72cd

SHA512
74c03b4cdac38a599c870630a542bfb8fac13b857d904e7a3f8ad26390d0d08a3acdb18e913daa698ba079972a620cd9658470d348670778b4f35a14927a1a48

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
127B

MD5
03aad3f12b3e527488399d5e979898a1

SHA1
2c6e48b840ede52e9053c4cb71b33b118a4e6b7e

SHA256
fe015ff7a949e2addda79aaf3ad59e2d59b4a833802e9ab861b6e470b5a7fdfd

SHA512
69a08764549c29533b2cbc8ada51e88d13baa8fd57c3882090501e2447bfd44aa25b295c8edc0ed41f373a8a457c817b8cdf86c1c27e56c693a01ba68c3a5cf8

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
d98c8e75e0b733b355221719abeb71e4

SHA1
e83c3d1bb4a5e346e8cd2582112ad8c44e18da2a

SHA256
4128459a5e29bc260f774480f81d2a1b558c7b5adb4bfb0c2bcce1d939b497f5

SHA512
312bfb82a0aa07e508fdeccade049f6edf434705ea6feefc5f24512283b2141700feb60d543523bc765be0b53bd6e95a533a6bad2a467abf0437228b2edcd7fe

Download Submit
C:\Windows\lsass.exe

Filesize
170KB

MD5
b03a9f81644957b74e7124af61fadeb9

SHA1
b5f360d3fddd7f845bf50273d023dc331e5ec96b

SHA256
3123fd7ee2107592358736abb2b2cce0bbb282d300460fc0a485eb3f72879cd0

SHA512
a8870c34afb99a3145cc46a6478dfc735d62269c5f16cd4473af6d2a50d304883b2afc8465f5271d401c16816c7b68788310fb5b1e54010285f118e98e738162

Download Submit
C:\Windows\lsass.exe

Filesize
170KB

MD5
4fbf3061c70398c457c1c9940f252153

SHA1
d62e42175c47ea690a1a8c0916e94f02e5a97754

SHA256
fd46e5b29be8cdfb36a825d8941f6aa0a4a3a28f954c604ffd60abc248603978

SHA512
28d62049c435c5f945511d4b4d32c2063a03fde27dbc249597d26e2918bf73a5c63b78894d6fc2bb065b11801bdad788e6ab17f800b461b1d7fb808a3ee32b5c

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
c55534452c57efa04f4109310f71ccca

SHA1
b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

SHA256
4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

SHA512
ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.3MB

MD5
0b56afade202c406eacbf7cdc87152e0

SHA1
6781240f65be24dd3d171f9b9d950b61349c565a

SHA256
494797cd029292876cea51dd6ef96e361416fc35682d2503dcb7ee989e77a98a

SHA512
5e2792f2ae7473218e92e7e40c39d0f46d31252205ec2fc4433f438797b3bb0d056847f882912ec2e4039c8229edc17e2e9e5b0f134bfab1e674b8273215ecb5

Download Submit
memory/2436-187-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2436-184-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2436-181-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2436-138-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2436-178-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2436-175-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2772-67-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2772-173-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2792-174-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2792-68-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2988-55-0x0000000003330000-0x0000000003388000-memory.dmp

Filesize
352KB

Download
memory/2988-56-0x0000000003330000-0x0000000003388000-memory.dmp

Filesize
352KB

Download
memory/2988-142-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2988-135-0x0000000003D80000-0x0000000003DD8000-memory.dmp

Filesize
352KB

Download
memory/2988-49-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2988-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads