Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
24/08/2024, 02:15
Behavioral task
behavioral1
Sample
c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Resource
win10v2004-20240802-en
General
-
Target
c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
-
Size
91KB
-
MD5
b2e7729144512e4662ecdf17295b7d7e
-
SHA1
913a139a2c0d0d8c39de05ccb460c3138fdc6c2c
-
SHA256
c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3
-
SHA512
50c2c27137aae8f1fc68d14fd76612fee8c8af4d1a17fa15a027890c206acfe447ab67f819ac2aa6430227fba154c7488c88952b072a0e1fb3e3199d659e4786
-
SSDEEP
1536:ERsjdf1aM67v32Z9x5nouy8VT9gRsjdf1aM67v32Z9x5nouy8VT+W:EOaHv3YpoutN+OaHv3YpoutN+W
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 7 IoCs
pid Process 780 xk.exe 2460 IExplorer.exe 1492 WINLOGON.EXE 1548 CSRSS.EXE 1532 SERVICES.EXE 2736 LSASS.EXE 2748 SMSS.EXE -
Loads dropped DLL 12 IoCs
pid Process 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
resource yara_rule behavioral1/memory/408-0-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/files/0x0007000000016dbf-8.dat upx behavioral1/files/0x0008000000018b5c-111.dat upx behavioral1/files/0x00050000000195cc-118.dat upx behavioral1/memory/780-115-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/2460-124-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/2460-128-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/files/0x00050000000195f9-129.dat upx behavioral1/files/0x00050000000195fb-139.dat upx behavioral1/memory/1492-142-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/files/0x00050000000195fd-153.dat upx behavioral1/memory/1548-152-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/408-157-0x0000000001D60000-0x0000000001D8F000-memory.dmp upx behavioral1/memory/408-156-0x0000000001D60000-0x0000000001D8F000-memory.dmp upx behavioral1/memory/408-155-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/files/0x00050000000195ff-174.dat upx behavioral1/memory/1532-169-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/2736-179-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/files/0x0005000000019601-180.dat upx behavioral1/memory/2748-193-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/408-192-0x0000000000400000-0x000000000042F000-memory.dmp upx -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell.exe c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe File created C:\Windows\SysWOW64\shell.exe c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe File created C:\Windows\SysWOW64\Mig2.scr c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe File created C:\Windows\SysWOW64\IExplorer.exe c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe File opened for modification C:\Windows\SysWOW64\Mig2.scr c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\xk.exe c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe File created C:\Windows\xk.exe c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE -
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Modifies registry class 15 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 780 xk.exe 2460 IExplorer.exe 1492 WINLOGON.EXE 1548 CSRSS.EXE 1532 SERVICES.EXE 2736 LSASS.EXE 2748 SMSS.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 408 wrote to memory of 780 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 29 PID 408 wrote to memory of 780 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 29 PID 408 wrote to memory of 780 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 29 PID 408 wrote to memory of 780 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 29 PID 408 wrote to memory of 2460 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 30 PID 408 wrote to memory of 2460 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 30 PID 408 wrote to memory of 2460 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 30 PID 408 wrote to memory of 2460 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 30 PID 408 wrote to memory of 1492 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 31 PID 408 wrote to memory of 1492 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 31 PID 408 wrote to memory of 1492 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 31 PID 408 wrote to memory of 1492 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 31 PID 408 wrote to memory of 1548 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 32 PID 408 wrote to memory of 1548 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 32 PID 408 wrote to memory of 1548 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 32 PID 408 wrote to memory of 1548 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 32 PID 408 wrote to memory of 1532 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 33 PID 408 wrote to memory of 1532 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 33 PID 408 wrote to memory of 1532 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 33 PID 408 wrote to memory of 1532 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 33 PID 408 wrote to memory of 2736 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 34 PID 408 wrote to memory of 2736 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 34 PID 408 wrote to memory of 2736 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 34 PID 408 wrote to memory of 2736 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 34 PID 408 wrote to memory of 2748 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 35 PID 408 wrote to memory of 2748 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 35 PID 408 wrote to memory of 2748 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 35 PID 408 wrote to memory of 2748 408 c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe 35 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe"C:\Users\Admin\AppData\Local\Temp\c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:408 -
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:780
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2460
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1492
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1548
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1532
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2736
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2748
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD5a90b4c106213e56363e3b35e3a815f02
SHA126855c80e6747e6cbbd2f9392ec02ace71a06111
SHA256bbbc47c24adcde0477c63cce356ac85bd790d8c4b3d2f831140974842e08640b
SHA5127283fe583520ba2b3cc13de47ff8c78b21cb5db1a46e4d9edd1e40e3f8938c2fe9df92832a57bc47c53430fc81b0cdb257ca558e0868f88cb95f615f646efc12
-
Filesize
91KB
MD5b2e7729144512e4662ecdf17295b7d7e
SHA1913a139a2c0d0d8c39de05ccb460c3138fdc6c2c
SHA256c26b32555fc87bcc3254bbc8b243de5bba809aa719383807c3b993a48dc88de3
SHA51250c2c27137aae8f1fc68d14fd76612fee8c8af4d1a17fa15a027890c206acfe447ab67f819ac2aa6430227fba154c7488c88952b072a0e1fb3e3199d659e4786
-
Filesize
91KB
MD577b677203afc214e71d946bbe6f649d1
SHA100d511a9cee7ebc0850e64d91524ef61bbc620df
SHA256e4941fc31be7e1974885dcb7decda9755f712adb55eae479cec5803f7d5fcc4d
SHA512b6f16c21233f8aca813a4fccaf4100fc65ed08b0ceac9c6922afa20b1d1d9559d44468e94fa798c77a02a32d4ec7c230249ffe3ceb9e140f34da9e0e40d3afe1
-
Filesize
91KB
MD55cbfecaf62e29aa6d5679b2abb88939d
SHA153eda7313ed0f11e8eb2a9ccfb719a73cc50a497
SHA256b42931eaaaa0901e8e8135d3cc900ce3f6b14fad9454d808f966105fb2a8de79
SHA51231970c83ba5611afba7708ff535524311252b6fd25b771f4ca995a9477a06cdb24f8ffded898326c03a037070f4b02e0f382b6fbe8b44ccf52f16541e333911d
-
Filesize
91KB
MD5785cab6a1ffdf5cf80b25e4533d8cb1b
SHA1addd4cc9cd37915a06f6f5e4863941cbc3179df7
SHA25650e3a99e159cc8f3c8f35692cd61a4fe6501b9138a8008e2f698b99ac5d88b9e
SHA512896faa617dcd17d495c8e174a18ab4b15e4ec5078fd3033917b1380b945b2ff5e95d793e47022dd3d95c07b5c3013d915592ed283624fb5c355365baff9e4794
-
Filesize
91KB
MD54943f9812d1f65d55cce785b8695b5e2
SHA1b68590a979a85ee92528910af8c44e4fca07eb96
SHA2563db16e11645e9c9c6042c42170906d3b9322278ad89c5726136d7b779b5eadfb
SHA51255396e1fdcf9f4f9c57822fedcaa8d16849a5c90145aa27cbb9373947d5ef230989383ed62d46a05d887e4a2e149309656def470dc459733ae87d34f2353da38
-
Filesize
91KB
MD537cbce951a4745e13737f398228eefcc
SHA1d745a814fa110dc1b99366e497be7468dd6a9fd1
SHA25620e22ec177166eb18269edf44d9a42b9d4ae82ac62f36559063fd6ecaa7374d1
SHA5120bce4d4ecec76d0b228ea3a27c9d59766e66fd62dd19c7060fbb1859250b2fd618f1edfc1bdfd265a047a00e5b8b03c889cbf238535752fd68b00e50547ac224
-
Filesize
91KB
MD51508951777ea1bffec0adc193ab78c53
SHA186cce67d989c565481345a213aa684eacfdcdd69
SHA256d8af5cff1ecdeea23bba0a11c04be1ab01fee8bf10456c7481db8e5395d3866a
SHA51286d8dda45ca94ab127599ef4cd8c164f4e29d4fa113dc8f5964da8f56418415919d70c73508d44a5024b3281265a085ce8c182c1731b905be40ca5a7b438f602