0397b757788cbb55791a9141fcb7a9b01de35aa8599aba97d4b515fedd38b24a

Analysis

max time kernel
98s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6837a38ca68f41ada762af461ae561e0N.exe
Size

91KB
MD5

6837a38ca68f41ada762af461ae561e0
SHA1

3f0560623763010e7a4311af0702451e9d99636d
SHA256

0397b757788cbb55791a9141fcb7a9b01de35aa8599aba97d4b515fedd38b24a
SHA512

cf436ff9fd07d6c47aeea51a8f88844bcfeb4c6e744a3ea55f7b07d47d542fde39650c62b5157afa29af0c33d265584b5513cd85f8881b13a09f8f5c4392e732
SSDEEP

768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3Imuw3gRYjXbUeHORIC4Z2:uT3OA3+KQsxfS41T3OA3+KQsxfS4q

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	6837a38ca68f41ada762af461ae561e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	6837a38ca68f41ada762af461ae561e0N.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	6837a38ca68f41ada762af461ae561e0N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	6837a38ca68f41ada762af461ae561e0N.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6837a38ca68f41ada762af461ae561e0N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6837a38ca68f41ada762af461ae561e0N.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 14 IoCs

pid	Process
3004	xk.exe
2800	IExplorer.exe
3324	WINLOGON.EXE
4868	CSRSS.EXE
3640	SERVICES.EXE
3100	LSASS.EXE
4224	SMSS.EXE
1808	xk.exe
3500	IExplorer.exe
852	WINLOGON.EXE
1956	CSRSS.EXE
2168	SERVICES.EXE
364	LSASS.EXE
4308	SMSS.EXE

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6837a38ca68f41ada762af461ae561e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	6837a38ca68f41ada762af461ae561e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	6837a38ca68f41ada762af461ae561e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	6837a38ca68f41ada762af461ae561e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	6837a38ca68f41ada762af461ae561e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6837a38ca68f41ada762af461ae561e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6837a38ca68f41ada762af461ae561e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6837a38ca68f41ada762af461ae561e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	6837a38ca68f41ada762af461ae561e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	6837a38ca68f41ada762af461ae561e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6837a38ca68f41ada762af461ae561e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	6837a38ca68f41ada762af461ae561e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	6837a38ca68f41ada762af461ae561e0N.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	6837a38ca68f41ada762af461ae561e0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	6837a38ca68f41ada762af461ae561e0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	6837a38ca68f41ada762af461ae561e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	6837a38ca68f41ada762af461ae561e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	6837a38ca68f41ada762af461ae561e0N.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	6837a38ca68f41ada762af461ae561e0N.exe
File created	C:\desktop.ini	6837a38ca68f41ada762af461ae561e0N.exe
File opened for modification	F:\desktop.ini	6837a38ca68f41ada762af461ae561e0N.exe
File created	F:\desktop.ini	6837a38ca68f41ada762af461ae561e0N.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\Q:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\R:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\V:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\G:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\N:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\S:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\T:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\O:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\W:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\Z:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\B:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\E:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\L:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\M:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\U:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\X:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\Y:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\H:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\I:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\J:	6837a38ca68f41ada762af461ae561e0N.exe
File opened (read-only)	\??\K:	6837a38ca68f41ada762af461ae561e0N.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mig2.scr	6837a38ca68f41ada762af461ae561e0N.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	6837a38ca68f41ada762af461ae561e0N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	6837a38ca68f41ada762af461ae561e0N.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	6837a38ca68f41ada762af461ae561e0N.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	6837a38ca68f41ada762af461ae561e0N.exe
File created	C:\Windows\SysWOW64\shell.exe	6837a38ca68f41ada762af461ae561e0N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	6837a38ca68f41ada762af461ae561e0N.exe
File created	C:\Windows\xk.exe	6837a38ca68f41ada762af461ae561e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6837a38ca68f41ada762af461ae561e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	6837a38ca68f41ada762af461ae561e0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	6837a38ca68f41ada762af461ae561e0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	6837a38ca68f41ada762af461ae561e0N.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\	6837a38ca68f41ada762af461ae561e0N.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	6837a38ca68f41ada762af461ae561e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6837a38ca68f41ada762af461ae561e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	6837a38ca68f41ada762af461ae561e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	6837a38ca68f41ada762af461ae561e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	6837a38ca68f41ada762af461ae561e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6837a38ca68f41ada762af461ae561e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	6837a38ca68f41ada762af461ae561e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	6837a38ca68f41ada762af461ae561e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6837a38ca68f41ada762af461ae561e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	6837a38ca68f41ada762af461ae561e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	6837a38ca68f41ada762af461ae561e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	6837a38ca68f41ada762af461ae561e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6837a38ca68f41ada762af461ae561e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	6837a38ca68f41ada762af461ae561e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6837a38ca68f41ada762af461ae561e0N.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3420	6837a38ca68f41ada762af461ae561e0N.exe
3420	6837a38ca68f41ada762af461ae561e0N.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3420	6837a38ca68f41ada762af461ae561e0N.exe
3004	xk.exe
2800	IExplorer.exe
3324	WINLOGON.EXE
4868	CSRSS.EXE
3640	SERVICES.EXE
3100	LSASS.EXE
4224	SMSS.EXE
1808	xk.exe
3500	IExplorer.exe
852	WINLOGON.EXE
1956	CSRSS.EXE
2168	SERVICES.EXE
364	LSASS.EXE
4308	SMSS.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 3004	3420	6837a38ca68f41ada762af461ae561e0N.exe	84
PID 3420 wrote to memory of 3004	3420	6837a38ca68f41ada762af461ae561e0N.exe	84
PID 3420 wrote to memory of 3004	3420	6837a38ca68f41ada762af461ae561e0N.exe	84
PID 3420 wrote to memory of 2800	3420	6837a38ca68f41ada762af461ae561e0N.exe	85
PID 3420 wrote to memory of 2800	3420	6837a38ca68f41ada762af461ae561e0N.exe	85
PID 3420 wrote to memory of 2800	3420	6837a38ca68f41ada762af461ae561e0N.exe	85
PID 3420 wrote to memory of 3324	3420	6837a38ca68f41ada762af461ae561e0N.exe	86
PID 3420 wrote to memory of 3324	3420	6837a38ca68f41ada762af461ae561e0N.exe	86
PID 3420 wrote to memory of 3324	3420	6837a38ca68f41ada762af461ae561e0N.exe	86
PID 3420 wrote to memory of 4868	3420	6837a38ca68f41ada762af461ae561e0N.exe	87
PID 3420 wrote to memory of 4868	3420	6837a38ca68f41ada762af461ae561e0N.exe	87
PID 3420 wrote to memory of 4868	3420	6837a38ca68f41ada762af461ae561e0N.exe	87
PID 3420 wrote to memory of 3640	3420	6837a38ca68f41ada762af461ae561e0N.exe	90
PID 3420 wrote to memory of 3640	3420	6837a38ca68f41ada762af461ae561e0N.exe	90
PID 3420 wrote to memory of 3640	3420	6837a38ca68f41ada762af461ae561e0N.exe	90
PID 3420 wrote to memory of 3100	3420	6837a38ca68f41ada762af461ae561e0N.exe	91
PID 3420 wrote to memory of 3100	3420	6837a38ca68f41ada762af461ae561e0N.exe	91
PID 3420 wrote to memory of 3100	3420	6837a38ca68f41ada762af461ae561e0N.exe	91
PID 3420 wrote to memory of 4224	3420	6837a38ca68f41ada762af461ae561e0N.exe	92
PID 3420 wrote to memory of 4224	3420	6837a38ca68f41ada762af461ae561e0N.exe	92
PID 3420 wrote to memory of 4224	3420	6837a38ca68f41ada762af461ae561e0N.exe	92
PID 3420 wrote to memory of 1808	3420	6837a38ca68f41ada762af461ae561e0N.exe	93
PID 3420 wrote to memory of 1808	3420	6837a38ca68f41ada762af461ae561e0N.exe	93
PID 3420 wrote to memory of 1808	3420	6837a38ca68f41ada762af461ae561e0N.exe	93
PID 3420 wrote to memory of 3500	3420	6837a38ca68f41ada762af461ae561e0N.exe	94
PID 3420 wrote to memory of 3500	3420	6837a38ca68f41ada762af461ae561e0N.exe	94
PID 3420 wrote to memory of 3500	3420	6837a38ca68f41ada762af461ae561e0N.exe	94
PID 3420 wrote to memory of 852	3420	6837a38ca68f41ada762af461ae561e0N.exe	95
PID 3420 wrote to memory of 852	3420	6837a38ca68f41ada762af461ae561e0N.exe	95
PID 3420 wrote to memory of 852	3420	6837a38ca68f41ada762af461ae561e0N.exe	95
PID 3420 wrote to memory of 1956	3420	6837a38ca68f41ada762af461ae561e0N.exe	96
PID 3420 wrote to memory of 1956	3420	6837a38ca68f41ada762af461ae561e0N.exe	96
PID 3420 wrote to memory of 1956	3420	6837a38ca68f41ada762af461ae561e0N.exe	96
PID 3420 wrote to memory of 2168	3420	6837a38ca68f41ada762af461ae561e0N.exe	98
PID 3420 wrote to memory of 2168	3420	6837a38ca68f41ada762af461ae561e0N.exe	98
PID 3420 wrote to memory of 2168	3420	6837a38ca68f41ada762af461ae561e0N.exe	98
PID 3420 wrote to memory of 364	3420	6837a38ca68f41ada762af461ae561e0N.exe	99
PID 3420 wrote to memory of 364	3420	6837a38ca68f41ada762af461ae561e0N.exe	99
PID 3420 wrote to memory of 364	3420	6837a38ca68f41ada762af461ae561e0N.exe	99
PID 3420 wrote to memory of 4308	3420	6837a38ca68f41ada762af461ae561e0N.exe	100
PID 3420 wrote to memory of 4308	3420	6837a38ca68f41ada762af461ae561e0N.exe	100
PID 3420 wrote to memory of 4308	3420	6837a38ca68f41ada762af461ae561e0N.exe	100

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6837a38ca68f41ada762af461ae561e0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	6837a38ca68f41ada762af461ae561e0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	6837a38ca68f41ada762af461ae561e0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6837a38ca68f41ada762af461ae561e0N.exe

C:\Users\Admin\AppData\Local\Temp\6837a38ca68f41ada762af461ae561e0N.exe
"C:\Users\Admin\AppData\Local\Temp\6837a38ca68f41ada762af461ae561e0N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3420
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3004
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2800
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3324
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4868
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3640
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3100
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4224
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1808
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3500
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:852
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1956
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2168
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:364
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
695426a01e00eb5193b53e1551689101

SHA1
96c53bbe743eb64d437b4756204e2d3f00a631aa

SHA256
d9a3f29549bfb6ae8efed477a4e10192962b74610ea3738414f70f4988e943ea

SHA512
7ae6fec85cbe57f7bba9aadc4c80f470b14396203fa0b232e6c6b55706ac4ae1272e66fbec8e13d4e42b09f26fb8830c0465c1a3cecd3edb1c47a6cd07969ca6

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
82f40ed3bdcdc1d4ed6e77624ca7664b

SHA1
5a8efbde78dfb14c8a7d5f77b251fb8ee09ca94f

SHA256
a1f07c737dc7e498f0a9191188e06b3b2d1b6c0a309b92b85b4f615ce9883cdd

SHA512
8cc2a243f32a62040628e9678f12513cb3a15ca43915321878a9f2148eb74d430aab8d25588db63b6ba1a1f7c7ef1edc2f1559056ab0f01204e643f1d4e8d902

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
57a61818f9a7f0a4a0e3837ddf81b0be

SHA1
dba8b5f589fc89182a3e6c519ac5c29870b6dcb0

SHA256
085651c435b4129e40de7a6ce0114c62b2146b96ffc68a05377298d5665b4ea7

SHA512
907bf2d94045c47e5f35f61ab3abcaa61ad8281d7aa1bcfe29bc2431797e969d02732435fbc9ce355aa9d78c477a85584ef85e1d2b8e4782815d89af249cf82e

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
a057babbdbfed57c5fac68a42cdbd0f4

SHA1
c333ddd089dde504cde445e49a7ee23e2f0ed792

SHA256
ca6e5d79a9fc7824e63213c9e792e69e8b40a209fb60d83eadd3eef2b036e0aa

SHA512
05b37386e3d590408d6b63bcd724e63c414f4f4fc2024115b53b8224aba28fbe2a43eb2b831c20025a98459965bec6cbe66f427b0e87e19abd52a7dacd35f3d3

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
5938dcb7568bddc2b2feb1ef29831e6a

SHA1
bb5e47c5fcebdb27ad6aaee331cc5fe95ed1decf

SHA256
879cdb67e3f4d755d03287bcace84be01e88fd60f5bc21fa6067e8732b193bb8

SHA512
9a3b279fc244b48b9f62f980a4b198b2884a3a38e49a52ea7e4b3946ed41ce130235ba22a7279175a33a9e103eaef6d7c5298b32245675d045ebcd1b80a5a33e

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
37e73feb56047fe36b1ad6d6c1d0f4ba

SHA1
93894ea3973a8eb5550defe37622fbd11ededcd5

SHA256
eacab8b86347a36e2f043307e8f2d22d5e2c7c8dda2aaf5aed56c84280f76c97

SHA512
629aa864fdd813298f665919412fe089dc5193574f27a463f14426ca80a4164e3c7f5b2c3bb10bb0cd289b04d01b2147fdc7eed5a1eafd82d748b7dc19616180

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
18ab5e91946f1d62b4594d313771b50d

SHA1
16dc18583287d6e72eef8422524984539198be15

SHA256
daa2372d9b95053440706c697ddaec9c8ab498bf52ce86689199edb9a00deaca

SHA512
5f56e780f44812ea711579b62068d0301225d706bb5fb5ec2aad34bcb5011f6ceff8174bb08b9e6646f8aa8a3addd8776ea5280bb986734cbb33955932d52357

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
9838896fd49b75137600bb64e23f430d

SHA1
e95a41c15bd809b1d00673be970f99768b2f7e71

SHA256
85284b4f0321bff438362a008829394b2ad6b6b5f37afc7fc41ca3fbd9700e37

SHA512
4324522fbad39904e1286c5fde87e7d0ace689c343c6f8c8ad7436ab9f2eace0c93863c4c55da30f570237433964efb408b3ca50f3afbf01746d32d418c5e79c

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
53c38ed608032cddb3d5c2f7a64235db

SHA1
539896d8c78655dbca239777c0408f95635aecaa

SHA256
c04301fbb9d963d1567810584ae339bb925b7a6ce725e7ed4bd63fc5718020cc

SHA512
0d3801112e06d2c8419dd3a880b863529aa341e09da1001753842345620025a9694da26563d32c4e8ecc6d8ee1fc4c06d85c61accb52f793d9c754a72c093d24

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
16511957514309cdca5781976152ccef

SHA1
5e3522db11d6576dfce29f702117387d75ff90ff

SHA256
f4ac174b9aab5ffd7026743a40c0fb1418d2271cd9948ed0d8ef1057d56893e9

SHA512
66245c4a33a97607a25b8dd3a7b42a5e0c8049b83f65924e70f3cf2e6e69553bfcd7773b855e948bb7964da621a8eedf9beb41a4750af6a42ad5ced1199c0bdd

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
6837a38ca68f41ada762af461ae561e0

SHA1
3f0560623763010e7a4311af0702451e9d99636d

SHA256
0397b757788cbb55791a9141fcb7a9b01de35aa8599aba97d4b515fedd38b24a

SHA512
cf436ff9fd07d6c47aeea51a8f88844bcfeb4c6e744a3ea55f7b07d47d542fde39650c62b5157afa29af0c33d265584b5513cd85f8881b13a09f8f5c4392e732

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
c1fab98afd0978914ed9e1595a3234b4

SHA1
0bc24bf499caaba03f2e8928fc3e5839df87e3f9

SHA256
7b111d73dfa76ca3e6e5ca9543fe7075374eeb57d51d371273add515cb3ed2a6

SHA512
f8cc3df49c0f5468ff6acf0e7c0d99d589c06280a8e9bafeae9cf3346a58caf8aa021273af6695a33cfadd6824f445f455ec6f6fb87abda78e43481f37d0becc

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
e012b17dc52d432023dbb18a3011ed64

SHA1
2fef57e4571c9826ff17ef7319391a9193dcc2b2

SHA256
d8071cb1a825291f2f7c4baca982e97528c4093feff22e2e2ce2f5255c1f08b9

SHA512
ef57d17332a430c1833576fcbf8c5c99407adf2614e8d56ee8e605f4cfb41a9a91fc069c88f4a38153bce0a9d7e1d20041f1232f7c75861aae42d0e3d1353283

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
542fde4d45076a2a4bae7ff022957e0f

SHA1
ebd387edda0bdf9b1c3708374b48d9e81131f7b1

SHA256
a408334d02973fbc866e52d38c8ba4e6235ac89af3943d91ab992060c9a5b43b

SHA512
65be7b5fb71baf017c7b380aef0078ea53c33503a2f94f4deb63694e720e93338b2da9b3bdc2be2152979be6efd07b38beb02e376a77010ed69b9fec31c45af4

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
a001de0cf2ad6f6e618f633c8d5c06e1

SHA1
d6a0faeb4fb189e8abd48b47c0cf0718f80a5656

SHA256
798c912c264080e6f58c9cd1e6af43b49870e21f828b45b83246613e4cb4b3a5

SHA512
43932f0a12cbc1f240dc445db1e66e565244b6a906f8e8f7f5cf4ee6e51d208f68b7d665baef80c964ed43b1346bdf73dcc7d010960690a7437c6bbe9cb89391

Download Submit
memory/364-266-0x0000000074D30000-0x0000000074E8D000-memory.dmp

Filesize
1.4MB

Download
memory/364-265-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/364-271-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/852-247-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/852-242-0x0000000074D30000-0x0000000074E8D000-memory.dmp

Filesize
1.4MB

Download
memory/1808-232-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1808-226-0x0000000074D30000-0x0000000074E8D000-memory.dmp

Filesize
1.4MB

Download
memory/1956-254-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1956-250-0x0000000074D30000-0x0000000074E8D000-memory.dmp

Filesize
1.4MB

Download
memory/2168-257-0x0000000074D30000-0x0000000074E8D000-memory.dmp

Filesize
1.4MB

Download
memory/2168-262-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2800-129-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2800-124-0x0000000074D30000-0x0000000074E8D000-memory.dmp

Filesize
1.4MB

Download
memory/3004-123-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3004-116-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3004-115-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3004-113-0x0000000074D30000-0x0000000074E8D000-memory.dmp

Filesize
1.4MB

Download
memory/3004-112-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3100-169-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3100-164-0x0000000074D30000-0x0000000074E8D000-memory.dmp

Filesize
1.4MB

Download
memory/3324-139-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3324-134-0x0000000074D30000-0x0000000074E8D000-memory.dmp

Filesize
1.4MB

Download
memory/3324-133-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3420-143-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/3420-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/3420-147-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/3420-306-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3420-2-0x0000000074D30000-0x0000000074E8D000-memory.dmp

Filesize
1.4MB

Download
memory/3420-307-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/3420-304-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3420-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3420-4-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/3420-3-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3500-239-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3500-234-0x0000000074D30000-0x0000000074E8D000-memory.dmp

Filesize
1.4MB

Download
memory/3640-160-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3640-155-0x0000000074D30000-0x0000000074E8D000-memory.dmp

Filesize
1.4MB

Download
memory/4224-178-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4224-173-0x0000000074D30000-0x0000000074E8D000-memory.dmp

Filesize
1.4MB

Download
memory/4308-274-0x0000000074D30000-0x0000000074E8D000-memory.dmp

Filesize
1.4MB

Download
memory/4868-152-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4868-144-0x0000000074D30000-0x0000000074E8D000-memory.dmp

Filesize
1.4MB

Download
memory/4868-146-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download