Analysis
-
max time kernel
120s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/08/2024, 04:43
Static task
static1
Behavioral task
behavioral1
Sample
2cdd90e5b69dbbad23a43b26356696c0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2cdd90e5b69dbbad23a43b26356696c0N.exe
Resource
win10v2004-20240802-en
General
-
Target
2cdd90e5b69dbbad23a43b26356696c0N.exe
-
Size
325KB
-
MD5
2cdd90e5b69dbbad23a43b26356696c0
-
SHA1
27eaf57a25fd34696e6dbb772d9081cbb377252f
-
SHA256
753133fd1a1fd89dbc8c736105d87dad6ce5a4deb531c054d53f2593b88f3d93
-
SHA512
1a2203c542d764dabb340960eba74111926985152ec042a6b386d6edc3db40911c7893227b12e818ddbc05d1cf8d6e5ddc95b0ee425a6ac8a4abc5c8e9ba7c0e
-
SSDEEP
6144:LY+32WWluqvHpVmXWEjFJRWci+WUW20rUU5EYCTvaBju43:EnWwvHpVmXpjJIUW2cUusvalx3
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\\PIO4X1H.exe\"" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\\PIO4X1H.exe\"" lsass.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" lsass.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system.exe Set value (int) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" lsass.exe -
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x000700000002344f-147.dat acprotect -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation lsass.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 2cdd90e5b69dbbad23a43b26356696c0N.exe -
Executes dropped EXE 5 IoCs
pid Process 3244 service.exe 3040 smss.exe 4964 system.exe 1408 winlogon.exe 3636 lsass.exe -
Loads dropped DLL 1 IoCs
pid Process 4964 system.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" lsass.exe -
resource yara_rule behavioral2/files/0x000700000002344f-147.dat upx behavioral2/memory/4964-319-0x0000000010000000-0x0000000010075000-memory.dmp upx behavioral2/memory/4964-331-0x0000000010000000-0x0000000010075000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0X1HPY = "C:\\Windows\\GIS3D5I.exe" system.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sMS3D5I0 = "C:\\Windows\\system32\\RML1S6NLPY7U7T.exe" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0X1HPY = "C:\\Windows\\GIS3D5I.exe" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sMS3D5I0 = "C:\\Windows\\system32\\RML1S6NLPY7U7T.exe" system.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: service.exe File opened (read-only) \??\Y: service.exe File opened (read-only) \??\Z: service.exe File opened (read-only) \??\H: service.exe File opened (read-only) \??\X: service.exe File opened (read-only) \??\L: service.exe File opened (read-only) \??\N: service.exe File opened (read-only) \??\O: service.exe File opened (read-only) \??\Q: service.exe File opened (read-only) \??\V: service.exe File opened (read-only) \??\G: service.exe File opened (read-only) \??\I: service.exe File opened (read-only) \??\K: service.exe File opened (read-only) \??\M: service.exe File opened (read-only) \??\P: service.exe File opened (read-only) \??\R: service.exe File opened (read-only) \??\S: service.exe File opened (read-only) \??\T: service.exe File opened (read-only) \??\E: service.exe File opened (read-only) \??\J: service.exe File opened (read-only) \??\W: service.exe -
Drops file in System32 directory 42 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\RML1S6NLPY7U7T.exe service.exe File opened for modification C:\Windows\SysWOW64\KYD5G6Q\RML1S6N.cmd system.exe File opened for modification C:\Windows\SysWOW64\RML1S6NLPY7U7T.exe system.exe File opened for modification C:\Windows\SysWOW64\VTX4F2Q.exe system.exe File opened for modification C:\Windows\SysWOW64\regedit.exe 2cdd90e5b69dbbad23a43b26356696c0N.exe File opened for modification C:\Windows\SysWOW64\RML1S6NLPY7U7T.exe 2cdd90e5b69dbbad23a43b26356696c0N.exe File opened for modification C:\Windows\SysWOW64\KYD5G6Q winlogon.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system.exe File opened for modification C:\Windows\SysWOW64\KYD5G6Q\RML1S6N.cmd lsass.exe File opened for modification C:\Windows\SysWOW64\KYD5G6Q 2cdd90e5b69dbbad23a43b26356696c0N.exe File opened for modification C:\Windows\SysWOW64\RML1S6NLPY7U7T.exe smss.exe File opened for modification C:\Windows\SysWOW64\RML1S6NLPY7U7T.exe lsass.exe File opened for modification C:\Windows\SysWOW64\KYD5G6Q\RML1S6N.cmd 2cdd90e5b69dbbad23a43b26356696c0N.exe File opened for modification C:\Windows\SysWOW64\KYD5G6Q service.exe File opened for modification C:\Windows\SysWOW64\RML1S6NLPY7U7T.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\regedit.exe lsass.exe File opened for modification C:\Windows\SysWOW64\systear.dll 2cdd90e5b69dbbad23a43b26356696c0N.exe File opened for modification C:\Windows\SysWOW64\KYD5G6Q system.exe File opened for modification C:\Windows\SysWOW64\systear.dll service.exe File opened for modification C:\Windows\SysWOW64\VTX4F2Q.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\VTX4F2Q.exe lsass.exe File opened for modification C:\Windows\SysWOW64\VTX4F2Q.exe service.exe File opened for modification C:\Windows\SysWOW64\KYD5G6Q\RML1S6N.cmd winlogon.exe File opened for modification C:\Windows\SysWOW64\systear.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\regedit.exe smss.exe File opened for modification C:\Windows\SysWOW64\KYD5G6Q\RML1S6N.cmd smss.exe File opened for modification C:\Windows\SysWOW64\systear.dll smss.exe File opened for modification C:\Windows\SysWOW64\KYD5G6Q lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll lsass.exe File opened for modification C:\Windows\SysWOW64\KYD5G6Q smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll service.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll winlogon.exe File opened for modification C:\Windows\SysWOW64\regedit.exe system.exe File opened for modification C:\Windows\SysWOW64\VTX4F2Q.exe 2cdd90e5b69dbbad23a43b26356696c0N.exe File opened for modification C:\Windows\SysWOW64\regedit.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\KYD5G6Q\RML1S6N.cmd service.exe File opened for modification C:\Windows\SysWOW64\systear.dll system.exe File opened for modification C:\Windows\SysWOW64\systear.dll lsass.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2cdd90e5b69dbbad23a43b26356696c0N.exe File opened for modification C:\Windows\SysWOW64\regedit.exe service.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\VTX4F2Q.exe smss.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E} winlogon.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe system.exe File opened for modification C:\Windows\onceinabluemoon.mid 2cdd90e5b69dbbad23a43b26356696c0N.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe 2cdd90e5b69dbbad23a43b26356696c0N.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\CFC4G1W.com 2cdd90e5b69dbbad23a43b26356696c0N.exe File opened for modification C:\Windows\onceinabluemoon.mid service.exe File opened for modification C:\Windows\system\msvbvm60.dll service.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd winlogon.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\CFC4G1W.com winlogon.exe File opened for modification C:\Windows\LPY7U7T.exe system.exe File opened for modification C:\Windows\GIS3D5I.exe smss.exe File opened for modification C:\Windows\moonlight.dll lsass.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe winlogon.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd service.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\PIO4X1H.exe winlogon.exe File opened for modification C:\Windows\GIS3D5I.exe system.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\PIO4X1H.exe system.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\CFC4G1W.com smss.exe File opened for modification C:\Windows\lsass.exe lsass.exe File opened for modification C:\Windows\moonlight.dll 2cdd90e5b69dbbad23a43b26356696c0N.exe File opened for modification C:\Windows\onceinabluemoon.mid winlogon.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe system.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E} smss.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe winlogon.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\PIO4X1H.exe smss.exe File created C:\Windows\MooNlight.R.txt smss.exe File opened for modification C:\Windows\system\msvbvm60.dll 2cdd90e5b69dbbad23a43b26356696c0N.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd system.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe lsass.exe File opened for modification C:\Windows\GIS3D5I.exe lsass.exe File opened for modification C:\Windows\cypreg.dll 2cdd90e5b69dbbad23a43b26356696c0N.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe 2cdd90e5b69dbbad23a43b26356696c0N.exe File opened for modification C:\Windows\LPY7U7T.exe 2cdd90e5b69dbbad23a43b26356696c0N.exe File opened for modification C:\Windows\onceinabluemoon.mid system.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\CFC4G1W.com service.exe File opened for modification C:\Windows\LPY7U7T.exe winlogon.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe system.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe lsass.exe File created C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip system.exe File opened for modification C:\Windows\GIS3D5I.exe 2cdd90e5b69dbbad23a43b26356696c0N.exe File opened for modification C:\Windows\cypreg.dll smss.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe smss.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E} lsass.exe File opened for modification C:\Windows\cypreg.dll lsass.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe lsass.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\CFC4G1W.com lsass.exe File opened for modification C:\Windows\moonlight.dll system.exe File opened for modification C:\Windows\system\msvbvm60.dll lsass.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe 2cdd90e5b69dbbad23a43b26356696c0N.exe File opened for modification C:\Windows\lsass.exe 2cdd90e5b69dbbad23a43b26356696c0N.exe File opened for modification C:\Windows\moonlight.dll service.exe File opened for modification C:\Windows\moonlight.dll smss.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe smss.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe winlogon.exe File opened for modification C:\Windows\lsass.exe system.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe smss.exe File opened for modification C:\Windows\lsass.exe smss.exe File opened for modification C:\Windows\onceinabluemoon.mid lsass.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\PIO4X1H.exe 2cdd90e5b69dbbad23a43b26356696c0N.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E} service.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E} system.exe File opened for modification C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe smss.exe File opened for modification C:\Windows\LPY7U7T.exe service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2cdd90e5b69dbbad23a43b26356696c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe -
Modifies registry class 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" lsass.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2cdd90e5b69dbbad23a43b26356696c0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile system.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeBackupPrivilege 4964 system.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3508 2cdd90e5b69dbbad23a43b26356696c0N.exe 3244 service.exe 3040 smss.exe 1408 winlogon.exe 4964 system.exe 3636 lsass.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3508 wrote to memory of 3244 3508 2cdd90e5b69dbbad23a43b26356696c0N.exe 85 PID 3508 wrote to memory of 3244 3508 2cdd90e5b69dbbad23a43b26356696c0N.exe 85 PID 3508 wrote to memory of 3244 3508 2cdd90e5b69dbbad23a43b26356696c0N.exe 85 PID 3508 wrote to memory of 3040 3508 2cdd90e5b69dbbad23a43b26356696c0N.exe 86 PID 3508 wrote to memory of 3040 3508 2cdd90e5b69dbbad23a43b26356696c0N.exe 86 PID 3508 wrote to memory of 3040 3508 2cdd90e5b69dbbad23a43b26356696c0N.exe 86 PID 3508 wrote to memory of 4964 3508 2cdd90e5b69dbbad23a43b26356696c0N.exe 87 PID 3508 wrote to memory of 4964 3508 2cdd90e5b69dbbad23a43b26356696c0N.exe 87 PID 3508 wrote to memory of 4964 3508 2cdd90e5b69dbbad23a43b26356696c0N.exe 87 PID 3508 wrote to memory of 1408 3508 2cdd90e5b69dbbad23a43b26356696c0N.exe 88 PID 3508 wrote to memory of 1408 3508 2cdd90e5b69dbbad23a43b26356696c0N.exe 88 PID 3508 wrote to memory of 1408 3508 2cdd90e5b69dbbad23a43b26356696c0N.exe 88 PID 3508 wrote to memory of 3636 3508 2cdd90e5b69dbbad23a43b26356696c0N.exe 91 PID 3508 wrote to memory of 3636 3508 2cdd90e5b69dbbad23a43b26356696c0N.exe 91 PID 3508 wrote to memory of 3636 3508 2cdd90e5b69dbbad23a43b26356696c0N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cdd90e5b69dbbad23a43b26356696c0N.exe"C:\Users\Admin\AppData\Local\Temp\2cdd90e5b69dbbad23a43b26356696c0N.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3244
-
-
C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3040
-
-
C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4964
-
-
C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1408
-
-
C:\Windows\lsass.exe"C:\Windows\lsass.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3636
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
325KB
MD550c4bf1113f7d2d65ba38fcdb04ee6af
SHA150e128c69e17d24aedb042e9ca7ef356b468ba63
SHA256795ed0e8342d5266d4dceb596e427fce8bd3ab9ecc7c639c0b9ada2bf51dc601
SHA512b7528285fa6d66a063c778996c30a711a1ab72a471333ebe1d8c3ea982d729b581ea0b51baeb131cbdd262c886127f688f9540c14e3163b66ac7d1374184757d
-
Filesize
325KB
MD527ca1e419d7e11d9d2d97a1c6888b956
SHA111e6a9f9f38944ace3d9b64c0fd3f59c5caf3a23
SHA256771dc9415f2852fad796253095e0da1aa169716462bba5840a24d833a39e0bb3
SHA512a5e44e85c01c859b572ea6e3f429f55dedd05a43d2e17551b4d11f373ef8cbae7606bb94ef4d968c94a96c6d98391e78961a628b1b49717852feb2aebe94ffdc
-
Filesize
325KB
MD50d948f09a03f8443f5e7e05ba5c1a7a9
SHA1d89e2089c176b404d5e625aa855261bfe946be7e
SHA256e6abf8db6c55dc18deee71181b5f5f0a71ad9990145f20319f5c78ca17782146
SHA51266a934411085d197283c1824d416af497baf6507fbb7e671423e839a15cd0c34e773974e4d654cd3874c51ad4521d7d5e6418a2fd29fd5f3bfc66ee6830b877a
-
Filesize
325KB
MD5d995c4fc5fab9e9791642a385a321954
SHA14994c9d07df55975d5cfd73411e6a59a1c46eaf3
SHA256b3b4fc94277964a64e9c8092cefb45da40a9c31599956c64d4382bdc0b701335
SHA51282423ca43ff29394797742c92255a60c084fdea3406577f6552a19abc5420b9787aaa31d9f6397b141fc1b06693061da93cbd7ea34c2674d024b50687b73ac75
-
Filesize
325KB
MD51ddc6b2e324484a2ce75b1a5691b6c11
SHA1a32a1664048d7ea2bef7ea8d8c9e42eb3f28d4e5
SHA2563fac5025b96d6ca8a555387fae8fe137f98b559462858263c9a403f8e3dc889d
SHA5126420983605676a01cf9376f1a861bac718dcead39ec09bb93b40dddf3b5b3db6611a4683e501679c85cc7001a9ec205d70ea9052777e051a6835bd4c9c881f05
-
Filesize
325KB
MD5d832564f2a2612ae657f29515127881b
SHA1a360ce918efca507aed29f63867418def85c2b86
SHA256c38b1355c4abb56a3abe9beebae813872fad4d82dbe23664c4e7bc13e85c9c54
SHA512ba7ee1e5bc993e21005af9078ca818d740ff0a3fb22a07ce63c856d633150916dfe6fbec505ba9f1e07292c6f3ecee6bde9b3981e39d4acc4222451e652d5a16
-
Filesize
325KB
MD5a0c16a664d5fef4d0bba6d7b079a79ed
SHA18921a8fc72d0049b978763aa6b2f720f941b94a3
SHA2565476e9f8cc6940d067e325af2cacbe0b597c60385ff7e1f601fb34ca727929de
SHA5129aed63cbf3cf85700aac10007e542a1e9b57514bc7dd630f246efaafa935a210d2dcf9d9f2ec23ab18a8104040a132e1d8335de5ca5762518639677a552acbf1
-
Filesize
325KB
MD5673d81432014e959d510da15697573a5
SHA1d0ff2235bb9825211f5a9288d0c4a830ac7d2ab4
SHA2565336e3cf47b6d925d3ea343ea638104b4180143945ea14370466fe17901654f0
SHA5122d3376a920d9d02df0996460b7738574edae5cde0671a471b7c7cba441e67b619b3935c96b13dc5936557142ed7738971e11f83b058cc2b002b5c079870910c8
-
Filesize
325KB
MD5b1f0027eefb445c5030fda1d35f0f2e3
SHA1d06e1a23755f80c5c13b7e2e63857cede8ab77cc
SHA256166adb13d91c8196a65371742e8c9b33dc4229534fbbf436a39a26970a0e0fbc
SHA51204e5b6e38ee31cc5e8c387e6c7aafe66612ecd01bd990615950a1323b0f2858d10244d1884bf40aff0aff8db8806811fd5a06126243cc8c75ac8bba286c5e2f3
-
Filesize
325KB
MD578ebdbe032a2df194523960e9d3fdfe4
SHA1fc8d9484fbbafa89b3dd568c9565b9820d3265fd
SHA2565687360d3598e20cce3f425a09c01f7520a94a1008dc843acb73bfd8aca1067e
SHA512ea386462c1648ab7bb5ca7b2750e7f4db03ed1e1774c2eaff47c0faaa1b1d3335ceae36c701f8ed31adcfa5c01b01f069b7e24fbfa759835c580ad2e2c7aed1a
-
Filesize
325KB
MD5d1f09577d97c402324133124a720abc5
SHA1ec529922b99e5613849667ced842ece3dd1a99bc
SHA256b67f011e51f45995d3aa119b1678f2b03a53980d9d4861d602a09b25e7ebc256
SHA512d2690feab1a6c4f1f78192ece8b8e3b447ef67e27d4204ee074668449e30eaf0a3175284b94e692642295c4080c1fd990d0dad7127568b81b74a6e71788bec47
-
Filesize
325KB
MD599922297a23d0299f1ced6fdb70531da
SHA1d2259c7600a6ba671921fc07d6dc70ccd9958d43
SHA256c86c1f0d803dc62167ba123943d87e005025141c1a3d13351a4f791de921245c
SHA512af63e023dd6210017b5e594f62d74549e232bdff2c6061736c02cfa5540382962baf8abbc280eafd26844eebd7f48739aa33a4db792802afa93d2fb4dd943f25
-
Filesize
325KB
MD5c1162554364b293ec3830fa7a829781f
SHA1ed953aa8de6296b9d4262a6a7efc1f91bd773862
SHA256b344ddc027c2bd80f08245c724f9c415992095ac19e82361eb6528ee35351a2f
SHA512afef10e7c558ffb1749cd7799f707e26859f2572846392f1339f911485a9a279c937cae3ba4bb2a230700bb51721903c4df4d1fa5ae9d9e5a7a597517262fb65
-
Filesize
325KB
MD5ce76f740f66b15be3a5a1b926d869115
SHA160297c893c56a657679e2052038429b1f6c07d04
SHA2566ea3dd5728f5283f46ee210ab218f862ef6d017480306922e1b8655066a6b5c6
SHA51287c999152d185b7c5dccb39fdded0ddca04c45d2bfe43e5b72fe092857378ffd578bb47124cc68e71bee1444ae9352694de1deea56dcf952d062397115271f4a
-
Filesize
325KB
MD558b141daae7f62146f928af75a0ab990
SHA15a0022696824de40574a219b70a79a08b257714f
SHA256ee52121625a231f7994397629f0e2672cb5ddd711b8af88de90e580aadb1700b
SHA51213ccf36dcda0e1bfdea6ef0cde125751af76e36ed691a3bcdea95be44fc878294048d76f2d1ab7b322d91628095ebfafb88f1e8770e006687fe177da67cde2e9
-
Filesize
325KB
MD5e5ca751d07edae2064dcdb415ddb3c99
SHA14764c0770d8024dae6ed427d4233e44db299e09e
SHA25623666e595533e510b74d5a8c1a9b03e1ce7277cd0a048d150af67d4cb2ab16ce
SHA512781361ea72d62883b66f3866136fe197f25a1ed6cc40ecd1b850edfc57bbacf6a8df3c28a10b60166b687cf6f65a627cfeac07aa855b83fa0ea694d8421b76a5
-
Filesize
325KB
MD556c6f6fb138c1e9a83c6299eff70ebb4
SHA14b1a2bad3f14a4a8ecda10820e6cbe3f9ffdbc29
SHA25693a2002e46addf856fe804d760a10f1f4e08a3ad259a1b6b7127375e0f2827c4
SHA512263e7488a4ebe7a7c007b08d0a888108f1c74529b6c063569aa28f5f98a977ffd7b517237a588acc94b8de29d6d67ecc803af3264477ac9d9457d6ef5685f57c
-
Filesize
325KB
MD5f53c00a0cdde3a6b7b70b9ea3f7bab45
SHA10e073f955f7424f3a94b335d45fcd77f7e75b940
SHA2569676bbafa7bcfc79239b171681a57c3978b90a8b0c71cb0cc8000362396da785
SHA51221ee823f7868191ff73dc429d7cf737242ddf07206c0f8251b5995ba407a09fe997b0e48618c014b181e42525573e167af1b48213092535e99f6ea0546eac190
-
Filesize
127B
MD599a75729e2b9e0e55ea2571dfbb0c0e0
SHA17a386771122b0c786f0777dbc82d8c84a85c4ca6
SHA2568a35263b316e405984c4079a693abcc70dccfa4bb413060a0cbef40469a1f5f3
SHA512c46114d89945071347a456ceb1ab9ff4da1dc963c80e5331f7fabdb873030641468eb5cd271aa2ab7dc770873243df7f504fa786b49e4315519d2df1d4b282a2
-
Filesize
141B
MD5af34ca93d64f43e1a4ab7e9ad981cdcc
SHA158ae5dcb7b011d696667cc5db1ab09b275568c4d
SHA256c8a9089c2d9ba1b9a31f67a57a3ff2adf23dcc57d291aa9b2783d5ea3622dd52
SHA512c959edd7421a11e34917b9cd2867cff7fc278c2e493da9a8575ea3f8d9383886de84495eb04a8ad0bad602c66172aac2386e7794f5de8f930b98ae5120daf923
-
Filesize
361KB
MD571004378b0f33f3896c33c49bff4b92c
SHA11fc600fb35b9999ae5fa53f3996a2e6a5cc1941c
SHA2560dfa598f510d68b0a393a3c3afbc8c743cbe6d56a22761ce46b0712f81df382e
SHA512e392e980248ed91a20a6d427635a73c8e475350fa31d5a4881225e814edfe5c817c6f319595a7051d3fa262318a0394f233508401eb02d97e444dd62433df6d3
-
Filesize
361KB
MD51e1e0ba48fa72dc5e7b482afd9d3a7e0
SHA12a930121ef6839a0905d253ddeae565b45a95782
SHA25694ca13a7007fb2c1db881f79c436a1b392e7a41ff8e126f5d3b4f32cfe2183c9
SHA51270e0886004a164817cad5829d588fda560527579842d4fed654a2bfbe2999e473aebd8f67ac733362c107c5c40245cbf58906e7934e6138e43ce630c850fcc7d
-
Filesize
361KB
MD5b8ebc4cf5cfc35dbd116076639c6ea4a
SHA18ccb2941483c70095ecc1f77b5d34465c1b3fc07
SHA2562e5fcf58ca00004e2ab8793fb8ab64121119d4f737f6eb5baa7f52f8d3059d10
SHA5126ba8d358e216965ee4b1c16afa21c8a773d8c903a6d37ae15ded25f0f13bf3424480a6e50c7d90c755c545b2c45ed1c0086993b427c2c37b492e775faec4f8ea
-
Filesize
325KB
MD5fa4d1fad7875fec6b2a535cf2796d72e
SHA1b890817151ad28caedd931277b77384e33dfcd72
SHA256eae73675a3ffa3909517aa19e0f2f3ba52527ca74b8a3959f83f9b48e4c0b04b
SHA512548fe9c0123c7f8ecc562aeaafa875095c46c48f089c7943b78949569befe4c8a259a0d5da0f5ac5a13efc2f91a47b10ca715e325acd767bf6c996f863fdec85
-
Filesize
325KB
MD564935faa9b17dfc65e7c2dda274bd457
SHA1c1b134f614c19da1d08392970d508800a8b627a9
SHA256beea2622aebc0fdd2f741a82d760b320ee665d344e3df3cfd6fbd552ecf2dd99
SHA512c1c1c3807126c02808a0325f857a36c9669c56e631bf8c7780296b70eeaad8e3d5948350033313424dc24cb16f0498bda7c79a46e8845c283adac4547f8d1f50
-
Filesize
65KB
MD5c55534452c57efa04f4109310f71ccca
SHA1b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61
SHA2564cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc
SHA512ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a
-
Filesize
8KB
MD50e528d000aad58b255c1cf8fd0bb1089
SHA12445d2cc0921aea9ae53b8920d048d6537940ec6
SHA256c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae
SHA51289ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116
-
Filesize
1.4MB
MD5d93921be0a8cc54b2914d59edda504ff
SHA161699b7bf5b7b3903ed8a99623367054f57a934a
SHA2562160e45f6bb10d3e3a8765ffc01b42dd6a68159abf14c1a8dea2602365bb002d
SHA5126dc0088e685920d63b7898a413d1351b37c5c431d02ffd04c3db42527ec09178641a94abefdaa2dd2a70792240d1caf25f943fe04ca4eb9556a52f9ed17e4a36
-
Filesize
1.4MB
MD5220cd5b36a14cfc83715839698aeaaa8
SHA1e2957eb14abffa17ad61b7555221803444f92288
SHA256eb319cc5c5e432b3f111b185fa12e1410b43d90b81b4bd8d7f007c860256b4b1
SHA51265f4473e6f2f6af2c9197fb25955b58f1f2504b3cf364e6e6f41b9e1ba9fb6a80613797a0b4b24b41ce88b1f2afbb52cc3efcc5a362c4f54f2beb745028a9441
-
Filesize
1.4MB
MD5121c6d3c64d63e8bcefaf599acfd9ed5
SHA197273b1d544a2ba345eb118de55431fe25e03ee0
SHA25627b91e8f5888115fcabcc721905935555dee46f5c8e1bff2a2f6ee7b8dd74009
SHA512d1b0d63d08ee04f37999a86a6f0cd7e151d3bd74432c3052668d9c0ee8f0d0d681e74fe58beca534e1166f58b7fe578fa7105f37b0f8d707e46615337315b362