ac57eabadc32c1f69b1721c7de151525be8043213d2dbfd9daa1fe3647c44ee9

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

453322ffc2efa731e89cbcf9081e7740N.exe
Size

196KB
MD5

453322ffc2efa731e89cbcf9081e7740
SHA1

bee54ff2d7c99af41d12eb40c2b9ec8694f76d6b
SHA256

ac57eabadc32c1f69b1721c7de151525be8043213d2dbfd9daa1fe3647c44ee9
SHA512

b5d3f2f256b8ec55b052f3b2de2d612657552f939a83e5d1fa069a9e8c628c975c2b59a93686b961da9760ec29064fa24cc7d8bf6265c5d45ea2963ac58e6d6d
SSDEEP

3072:ZOgUXoutNuxZVX4/awxfodLJUBv9Bsor1rHjhMU9npQQpmuG:ZFYoScRARoYlld9n2Qpmx

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	453322ffc2efa731e89cbcf9081e7740N.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	453322ffc2efa731e89cbcf9081e7740N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	453322ffc2efa731e89cbcf9081e7740N.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	453322ffc2efa731e89cbcf9081e7740N.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
936	xk.exe
2588	IExplorer.exe
2460	WINLOGON.EXE
1660	CSRSS.EXE
2776	SERVICES.EXE
1496	LSASS.EXE
1888	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1736	453322ffc2efa731e89cbcf9081e7740N.exe
1736	453322ffc2efa731e89cbcf9081e7740N.exe
1736	453322ffc2efa731e89cbcf9081e7740N.exe
1736	453322ffc2efa731e89cbcf9081e7740N.exe
1736	453322ffc2efa731e89cbcf9081e7740N.exe
1736	453322ffc2efa731e89cbcf9081e7740N.exe
1736	453322ffc2efa731e89cbcf9081e7740N.exe
1736	453322ffc2efa731e89cbcf9081e7740N.exe
1736	453322ffc2efa731e89cbcf9081e7740N.exe
1736	453322ffc2efa731e89cbcf9081e7740N.exe
1736	453322ffc2efa731e89cbcf9081e7740N.exe
1736	453322ffc2efa731e89cbcf9081e7740N.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	453322ffc2efa731e89cbcf9081e7740N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	453322ffc2efa731e89cbcf9081e7740N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	453322ffc2efa731e89cbcf9081e7740N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	453322ffc2efa731e89cbcf9081e7740N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	453322ffc2efa731e89cbcf9081e7740N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	453322ffc2efa731e89cbcf9081e7740N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	453322ffc2efa731e89cbcf9081e7740N.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1736-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0008000000015d9c-8.dat	upx
behavioral1/files/0x0009000000015fa5-111.dat	upx
behavioral1/memory/936-115-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d72-118.dat	upx
behavioral1/memory/2588-128-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d92-131.dat	upx
behavioral1/memory/2460-138-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016da7-141.dat	upx
behavioral1/memory/1736-146-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1660-150-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016dbd-151.dat	upx
behavioral1/memory/2776-162-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016dcf-163.dat	upx
behavioral1/files/0x0006000000016dd8-176.dat	upx
behavioral1/memory/1888-185-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1496-175-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1496-171-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1736-189-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1888-187-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	453322ffc2efa731e89cbcf9081e7740N.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	453322ffc2efa731e89cbcf9081e7740N.exe
File created	C:\Windows\SysWOW64\shell.exe	453322ffc2efa731e89cbcf9081e7740N.exe
File created	C:\Windows\SysWOW64\Mig2.scr	453322ffc2efa731e89cbcf9081e7740N.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	453322ffc2efa731e89cbcf9081e7740N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	453322ffc2efa731e89cbcf9081e7740N.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	453322ffc2efa731e89cbcf9081e7740N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	453322ffc2efa731e89cbcf9081e7740N.exe
File created	C:\Windows\xk.exe	453322ffc2efa731e89cbcf9081e7740N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	453322ffc2efa731e89cbcf9081e7740N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	453322ffc2efa731e89cbcf9081e7740N.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	453322ffc2efa731e89cbcf9081e7740N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	453322ffc2efa731e89cbcf9081e7740N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	453322ffc2efa731e89cbcf9081e7740N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	453322ffc2efa731e89cbcf9081e7740N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	453322ffc2efa731e89cbcf9081e7740N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	453322ffc2efa731e89cbcf9081e7740N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	453322ffc2efa731e89cbcf9081e7740N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	453322ffc2efa731e89cbcf9081e7740N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	453322ffc2efa731e89cbcf9081e7740N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	453322ffc2efa731e89cbcf9081e7740N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1736	453322ffc2efa731e89cbcf9081e7740N.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1736	453322ffc2efa731e89cbcf9081e7740N.exe
936	xk.exe
2588	IExplorer.exe
2460	WINLOGON.EXE
1660	CSRSS.EXE
2776	SERVICES.EXE
1496	LSASS.EXE
1888	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 936	1736	453322ffc2efa731e89cbcf9081e7740N.exe	30
PID 1736 wrote to memory of 936	1736	453322ffc2efa731e89cbcf9081e7740N.exe	30
PID 1736 wrote to memory of 936	1736	453322ffc2efa731e89cbcf9081e7740N.exe	30
PID 1736 wrote to memory of 936	1736	453322ffc2efa731e89cbcf9081e7740N.exe	30
PID 1736 wrote to memory of 2588	1736	453322ffc2efa731e89cbcf9081e7740N.exe	31
PID 1736 wrote to memory of 2588	1736	453322ffc2efa731e89cbcf9081e7740N.exe	31
PID 1736 wrote to memory of 2588	1736	453322ffc2efa731e89cbcf9081e7740N.exe	31
PID 1736 wrote to memory of 2588	1736	453322ffc2efa731e89cbcf9081e7740N.exe	31
PID 1736 wrote to memory of 2460	1736	453322ffc2efa731e89cbcf9081e7740N.exe	32
PID 1736 wrote to memory of 2460	1736	453322ffc2efa731e89cbcf9081e7740N.exe	32
PID 1736 wrote to memory of 2460	1736	453322ffc2efa731e89cbcf9081e7740N.exe	32
PID 1736 wrote to memory of 2460	1736	453322ffc2efa731e89cbcf9081e7740N.exe	32
PID 1736 wrote to memory of 1660	1736	453322ffc2efa731e89cbcf9081e7740N.exe	33
PID 1736 wrote to memory of 1660	1736	453322ffc2efa731e89cbcf9081e7740N.exe	33
PID 1736 wrote to memory of 1660	1736	453322ffc2efa731e89cbcf9081e7740N.exe	33
PID 1736 wrote to memory of 1660	1736	453322ffc2efa731e89cbcf9081e7740N.exe	33
PID 1736 wrote to memory of 2776	1736	453322ffc2efa731e89cbcf9081e7740N.exe	34
PID 1736 wrote to memory of 2776	1736	453322ffc2efa731e89cbcf9081e7740N.exe	34
PID 1736 wrote to memory of 2776	1736	453322ffc2efa731e89cbcf9081e7740N.exe	34
PID 1736 wrote to memory of 2776	1736	453322ffc2efa731e89cbcf9081e7740N.exe	34
PID 1736 wrote to memory of 1496	1736	453322ffc2efa731e89cbcf9081e7740N.exe	35
PID 1736 wrote to memory of 1496	1736	453322ffc2efa731e89cbcf9081e7740N.exe	35
PID 1736 wrote to memory of 1496	1736	453322ffc2efa731e89cbcf9081e7740N.exe	35
PID 1736 wrote to memory of 1496	1736	453322ffc2efa731e89cbcf9081e7740N.exe	35
PID 1736 wrote to memory of 1888	1736	453322ffc2efa731e89cbcf9081e7740N.exe	36
PID 1736 wrote to memory of 1888	1736	453322ffc2efa731e89cbcf9081e7740N.exe	36
PID 1736 wrote to memory of 1888	1736	453322ffc2efa731e89cbcf9081e7740N.exe	36
PID 1736 wrote to memory of 1888	1736	453322ffc2efa731e89cbcf9081e7740N.exe	36

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	453322ffc2efa731e89cbcf9081e7740N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	453322ffc2efa731e89cbcf9081e7740N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	453322ffc2efa731e89cbcf9081e7740N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	453322ffc2efa731e89cbcf9081e7740N.exe

C:\Users\Admin\AppData\Local\Temp\453322ffc2efa731e89cbcf9081e7740N.exe
"C:\Users\Admin\AppData\Local\Temp\453322ffc2efa731e89cbcf9081e7740N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1736
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:936
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2588
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2460
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1660
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2776
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1496
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
196KB

MD5
453322ffc2efa731e89cbcf9081e7740

SHA1
bee54ff2d7c99af41d12eb40c2b9ec8694f76d6b

SHA256
ac57eabadc32c1f69b1721c7de151525be8043213d2dbfd9daa1fe3647c44ee9

SHA512
b5d3f2f256b8ec55b052f3b2de2d612657552f939a83e5d1fa069a9e8c628c975c2b59a93686b961da9760ec29064fa24cc7d8bf6265c5d45ea2963ac58e6d6d

Download Submit
C:\Windows\xk.exe

Filesize
196KB

MD5
4b2c3fe1e569efb8d42ce657fab44d67

SHA1
783507a98f0c88ba2da22f98389b8f45aed6f567

SHA256
b41617e3826127b765b98b653752c2be682c0bf210f8a11bfb83e84a78c221fd

SHA512
84b4a7b813ec44b151f9dbaf178a8c9c423894f4b8bb206eceed0fe18993bfae3e8088c4aa605d695ec18e45f3c1b0bfb9b09ec6c044c5ec0fb94fd3ade5dba0

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
196KB

MD5
405d7fa69a3c9ac49581a389cf57f5f9

SHA1
5f6ec426a9dfeed98355627a7e9cf8373a0c5f1e

SHA256
d23693eb5a91cc93c00fe096bc134402c0a0b16bba965bf270daf33acd1cd680

SHA512
cec1bcb1de4dc053441f59d202a890e18ba44de600dcececd8d3637ad6541c858013ed649c0ce9d92833636fa21bc829594720de2a21ff89540c61f65a491b94

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
196KB

MD5
ae2d6bd89c600c64e6d754dc80067651

SHA1
09aab30e22eb2608eff889aa43725e47faccf940

SHA256
3701e67b00b9f1bc9287d219d5a00f64a2f095bcaea40d8705b6bf2261031156

SHA512
df82fdb5663928f00d2c1b3c1c186c602d5b886604292aefaef0ef9380cf931157251ec07dbb18ea0d59f927e4f616c1b6b56c93438713819d9d1df07b502ada

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
196KB

MD5
128fc671342013240209529e1d9112f6

SHA1
4b89cf93df7f4cd3f53dc031664d53d327b0bda1

SHA256
7cf7c6bbe30bf160d30bf70f90977a75aed60759584ecce8d126f2884540d45f

SHA512
dfbc40212d6c6ac4ce45d28a0ce46b9bf2cabc6189dd54f72610fd211661bca36ac38a30aca07594e03b0d3ce5923d75b6413f01113b554dd41fcdfa14d76efb

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
196KB

MD5
3cabfd9e1c53f6f7d57ce623563dac45

SHA1
820c9c58eaf89562c3a975bc0987049f18faab69

SHA256
299cf89afd08f654cd4a5eff797bda0178712a811bb48ca4a5f1ec617a723d56

SHA512
a0d2a16c8aa7d9f9d012a3a0b1d05dc5b880e622408ab91edb6361513e41fd499d0e753fa7abbc52e1b0b8975702d74792abe47567e21ca7b9d9aca4d403ebbe

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
196KB

MD5
cc9c5d1d9a3e53407988eac29630befd

SHA1
016d1ba1326c7239e96d54ef594f34f27ec74ce3

SHA256
769fcc61df9b2da339a10e1eadce995c35fde5adfbefbaf4abeab164695fbb01

SHA512
f156967975192de8dc639cf361b69a7ad322f54b8fdbb37edc22fd9ff35279bb0d20fbb399d36ee912026e70a5b12598f30de5f40b4cb6194ce058acbc87713e

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
196KB

MD5
a51e4590820c2abf6dfd50dde305121c

SHA1
97c179ba3da2a03ab7e781f0ccdebca2940087e7

SHA256
477571e7d092e81946cbd071562f187a1fee80eff43e38abacaccc74a53b5263

SHA512
1adcf030eef2d6f99ab6cd1491438d1f553067bb402d0ad3f8c0a0ccea2be7bfa5ff41374dffffc495503a9a9787e1252e8c96a3fdaf4f47f26bfc6293b6e755

Download Submit
memory/936-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1660-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-124-0x0000000000470000-0x000000000049F000-memory.dmp

Filesize
188KB

Download
memory/1736-145-0x0000000000470000-0x000000000049F000-memory.dmp

Filesize
188KB

Download
memory/1736-123-0x0000000000470000-0x000000000049F000-memory.dmp

Filesize
188KB

Download
memory/1736-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-158-0x0000000000470000-0x000000000049F000-memory.dmp

Filesize
188KB

Download
memory/1736-170-0x0000000000470000-0x000000000049F000-memory.dmp

Filesize
188KB

Download
memory/1736-110-0x0000000000470000-0x000000000049F000-memory.dmp

Filesize
188KB

Download
memory/1736-109-0x0000000000470000-0x000000000049F000-memory.dmp

Filesize
188KB

Download
memory/1736-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-185-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-187-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2460-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2776-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download