c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Size

91KB
MD5

b2e7729144512e4662ecdf17295b7d7e
SHA1

913a139a2c0d0d8c39de05ccb460c3138fdc6c2c
SHA256

c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3
SHA512

50c2c27137aae8f1fc68d14fd76612fee8c8af4d1a17fa15a027890c206acfe447ab67f819ac2aa6430227fba154c7488c88952b072a0e1fb3e3199d659e4786
SSDEEP

1536:ERsjdf1aM67v32Z9x5nouy8VT9gRsjdf1aM67v32Z9x5nouy8VT+W:EOaHv3YpoutN+OaHv3YpoutN+W

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
780	xk.exe
2460	IExplorer.exe
1492	WINLOGON.EXE
1548	CSRSS.EXE
1532	SERVICES.EXE
2736	LSASS.EXE
2748	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/408-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000016dbf-8.dat	upx
behavioral1/files/0x0008000000018b5c-111.dat	upx
behavioral1/files/0x00050000000195cc-118.dat	upx
behavioral1/memory/780-115-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2460-124-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2460-128-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00050000000195f9-129.dat	upx
behavioral1/files/0x00050000000195fb-139.dat	upx
behavioral1/memory/1492-142-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00050000000195fd-153.dat	upx
behavioral1/memory/1548-152-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/408-157-0x0000000001D60000-0x0000000001D8F000-memory.dmp	upx
behavioral1/memory/408-156-0x0000000001D60000-0x0000000001D8F000-memory.dmp	upx
behavioral1/memory/408-155-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00050000000195ff-174.dat	upx
behavioral1/memory/1532-169-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2736-179-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019601-180.dat	upx
behavioral1/memory/2748-193-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/408-192-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
File created	C:\Windows\SysWOW64\shell.exe	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
File created	C:\Windows\SysWOW64\Mig2.scr	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
File created	C:\Windows\xk.exe	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
780	xk.exe
2460	IExplorer.exe
1492	WINLOGON.EXE
1548	CSRSS.EXE
1532	SERVICES.EXE
2736	LSASS.EXE
2748	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 780	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	29
PID 408 wrote to memory of 780	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	29
PID 408 wrote to memory of 780	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	29
PID 408 wrote to memory of 780	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	29
PID 408 wrote to memory of 2460	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	30
PID 408 wrote to memory of 2460	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	30
PID 408 wrote to memory of 2460	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	30
PID 408 wrote to memory of 2460	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	30
PID 408 wrote to memory of 1492	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	31
PID 408 wrote to memory of 1492	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	31
PID 408 wrote to memory of 1492	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	31
PID 408 wrote to memory of 1492	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	31
PID 408 wrote to memory of 1548	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	32
PID 408 wrote to memory of 1548	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	32
PID 408 wrote to memory of 1548	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	32
PID 408 wrote to memory of 1548	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	32
PID 408 wrote to memory of 1532	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	33
PID 408 wrote to memory of 1532	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	33
PID 408 wrote to memory of 1532	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	33
PID 408 wrote to memory of 1532	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	33
PID 408 wrote to memory of 2736	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	34
PID 408 wrote to memory of 2736	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	34
PID 408 wrote to memory of 2736	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	34
PID 408 wrote to memory of 2736	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	34
PID 408 wrote to memory of 2748	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	35
PID 408 wrote to memory of 2748	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	35
PID 408 wrote to memory of 2748	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	35
PID 408 wrote to memory of 2748	408	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe	35

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe

C:\Users\Admin\AppData\Local\Temp\c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
"C:\Users\Admin\AppData\Local\Temp\c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:408
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:780
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2460
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1492
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1548
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1532
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2736
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
a90b4c106213e56363e3b35e3a815f02

SHA1
26855c80e6747e6cbbd2f9392ec02ace71a06111

SHA256
bbbc47c24adcde0477c63cce356ac85bd790d8c4b3d2f831140974842e08640b

SHA512
7283fe583520ba2b3cc13de47ff8c78b21cb5db1a46e4d9edd1e40e3f8938c2fe9df92832a57bc47c53430fc81b0cdb257ca558e0868f88cb95f615f646efc12

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
b2e7729144512e4662ecdf17295b7d7e

SHA1
913a139a2c0d0d8c39de05ccb460c3138fdc6c2c

SHA256
c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3

SHA512
50c2c27137aae8f1fc68d14fd76612fee8c8af4d1a17fa15a027890c206acfe447ab67f819ac2aa6430227fba154c7488c88952b072a0e1fb3e3199d659e4786

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
77b677203afc214e71d946bbe6f649d1

SHA1
00d511a9cee7ebc0850e64d91524ef61bbc620df

SHA256
e4941fc31be7e1974885dcb7decda9755f712adb55eae479cec5803f7d5fcc4d

SHA512
b6f16c21233f8aca813a4fccaf4100fc65ed08b0ceac9c6922afa20b1d1d9559d44468e94fa798c77a02a32d4ec7c230249ffe3ceb9e140f34da9e0e40d3afe1

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
5cbfecaf62e29aa6d5679b2abb88939d

SHA1
53eda7313ed0f11e8eb2a9ccfb719a73cc50a497

SHA256
b42931eaaaa0901e8e8135d3cc900ce3f6b14fad9454d808f966105fb2a8de79

SHA512
31970c83ba5611afba7708ff535524311252b6fd25b771f4ca995a9477a06cdb24f8ffded898326c03a037070f4b02e0f382b6fbe8b44ccf52f16541e333911d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
785cab6a1ffdf5cf80b25e4533d8cb1b

SHA1
addd4cc9cd37915a06f6f5e4863941cbc3179df7

SHA256
50e3a99e159cc8f3c8f35692cd61a4fe6501b9138a8008e2f698b99ac5d88b9e

SHA512
896faa617dcd17d495c8e174a18ab4b15e4ec5078fd3033917b1380b945b2ff5e95d793e47022dd3d95c07b5c3013d915592ed283624fb5c355365baff9e4794

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
4943f9812d1f65d55cce785b8695b5e2

SHA1
b68590a979a85ee92528910af8c44e4fca07eb96

SHA256
3db16e11645e9c9c6042c42170906d3b9322278ad89c5726136d7b779b5eadfb

SHA512
55396e1fdcf9f4f9c57822fedcaa8d16849a5c90145aa27cbb9373947d5ef230989383ed62d46a05d887e4a2e149309656def470dc459733ae87d34f2353da38

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
37cbce951a4745e13737f398228eefcc

SHA1
d745a814fa110dc1b99366e497be7468dd6a9fd1

SHA256
20e22ec177166eb18269edf44d9a42b9d4ae82ac62f36559063fd6ecaa7374d1

SHA512
0bce4d4ecec76d0b228ea3a27c9d59766e66fd62dd19c7060fbb1859250b2fd618f1edfc1bdfd265a047a00e5b8b03c889cbf238535752fd68b00e50547ac224

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
1508951777ea1bffec0adc193ab78c53

SHA1
86cce67d989c565481345a213aa684eacfdcdd69

SHA256
d8af5cff1ecdeea23bba0a11c04be1ab01fee8bf10456c7481db8e5395d3866a

SHA512
86d8dda45ca94ab127599ef4cd8c164f4e29d4fa113dc8f5964da8f56418415919d70c73508d44a5024b3281265a085ce8c182c1731b905be40ca5a7b438f602

Download Submit
memory/408-109-0x0000000001D60000-0x0000000001D8F000-memory.dmp

Filesize
188KB

Download
memory/408-110-0x0000000001D60000-0x0000000001D8F000-memory.dmp

Filesize
188KB

Download
memory/408-175-0x0000000001D60000-0x0000000001D8F000-memory.dmp

Filesize
188KB

Download
memory/408-136-0x0000000001D60000-0x0000000001D8F000-memory.dmp

Filesize
188KB

Download
memory/408-123-0x0000000001D60000-0x0000000001D8F000-memory.dmp

Filesize
188KB

Download
memory/408-148-0x0000000001D60000-0x0000000001D8F000-memory.dmp

Filesize
188KB

Download
memory/408-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/408-186-0x0000000001D60000-0x0000000001D8F000-memory.dmp

Filesize
188KB

Download
memory/408-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/408-162-0x0000000001D60000-0x0000000001D8F000-memory.dmp

Filesize
188KB

Download
memory/408-157-0x0000000001D60000-0x0000000001D8F000-memory.dmp

Filesize
188KB

Download
memory/408-156-0x0000000001D60000-0x0000000001D8F000-memory.dmp

Filesize
188KB

Download
memory/408-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/780-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-169-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1548-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2460-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2460-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-179-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2748-193-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download