2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
28/08/2024, 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Size

91KB
MD5

471e76d60799426e3bd9c46a8ce16f19
SHA1

45d177fb3b42209dbb2450765896acf9b7910da8
SHA256

2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0
SHA512

67b00015002e3c9d8f6a8ed7d2684e2bca001cf27dc6fc51e535cc6c873e7ed328c61a5d7c78ecd3d14cd730d41d3e353e7e2ce380e0b633960caac36e0aeaba
SSDEEP

1536:QRsjdIZfaif4YrxCjjKnouy8VzlRsjdIZfaif4YrxCjjKnouy8VzK:QOyZy9wCjOouttlOyZy9wCjOouttK

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
3036	xk.exe
1924	IExplorer.exe
1512	WINLOGON.EXE
1436	CSRSS.EXE
1852	SERVICES.EXE
292	LSASS.EXE
2008	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2980-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00090000000162d8-8.dat	upx
behavioral1/files/0x0007000000016c03-109.dat	upx
behavioral1/memory/3036-112-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019272-113.dat	upx
behavioral1/memory/1924-120-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019309-124.dat	upx
behavioral1/memory/1924-123-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019346-133.dat	upx
behavioral1/memory/1512-137-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2980-136-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019358-145.dat	upx
behavioral1/memory/1436-148-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019368-158.dat	upx
behavioral1/memory/1852-160-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019385-169.dat	upx
behavioral1/memory/292-171-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2008-181-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2980-182-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IExplorer.exe	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
File created	C:\Windows\SysWOW64\shell.exe	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
File created	C:\Windows\SysWOW64\Mig2.scr	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
File created	C:\Windows\xk.exe	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
3036	xk.exe
1924	IExplorer.exe
1512	WINLOGON.EXE
1436	CSRSS.EXE
1852	SERVICES.EXE
292	LSASS.EXE
2008	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 3036	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	30
PID 2980 wrote to memory of 3036	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	30
PID 2980 wrote to memory of 3036	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	30
PID 2980 wrote to memory of 3036	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	30
PID 2980 wrote to memory of 1924	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	31
PID 2980 wrote to memory of 1924	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	31
PID 2980 wrote to memory of 1924	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	31
PID 2980 wrote to memory of 1924	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	31
PID 2980 wrote to memory of 1512	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	32
PID 2980 wrote to memory of 1512	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	32
PID 2980 wrote to memory of 1512	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	32
PID 2980 wrote to memory of 1512	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	32
PID 2980 wrote to memory of 1436	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	33
PID 2980 wrote to memory of 1436	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	33
PID 2980 wrote to memory of 1436	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	33
PID 2980 wrote to memory of 1436	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	33
PID 2980 wrote to memory of 1852	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	34
PID 2980 wrote to memory of 1852	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	34
PID 2980 wrote to memory of 1852	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	34
PID 2980 wrote to memory of 1852	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	34
PID 2980 wrote to memory of 292	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	35
PID 2980 wrote to memory of 292	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	35
PID 2980 wrote to memory of 292	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	35
PID 2980 wrote to memory of 292	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	35
PID 2980 wrote to memory of 2008	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	36
PID 2980 wrote to memory of 2008	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	36
PID 2980 wrote to memory of 2008	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	36
PID 2980 wrote to memory of 2008	2980	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe	36

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe

C:\Users\Admin\AppData\Local\Temp\2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe
"C:\Users\Admin\AppData\Local\Temp\2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2980
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3036
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1924
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1512
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1436
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1852
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:292
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\services.exe

Filesize
91KB

MD5
471e76d60799426e3bd9c46a8ce16f19

SHA1
45d177fb3b42209dbb2450765896acf9b7910da8

SHA256
2eec1072e347598c1ca4eca19782cbee00ffeb79af5130656af9e747b2e9e2b0

SHA512
67b00015002e3c9d8f6a8ed7d2684e2bca001cf27dc6fc51e535cc6c873e7ed328c61a5d7c78ecd3d14cd730d41d3e353e7e2ce380e0b633960caac36e0aeaba

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
6c4a4e31dbd11bfebfee21bfd6a2e5bc

SHA1
cef52de17e97c4af571115d12a8ccd0d152c763d

SHA256
09569d8dd169b20364d9e421321115a1d11deaa94d2f64450608e492a5067d81

SHA512
a7e8c3ce195a055dfe9bf8f5dd4fb888a7776450ac775b81c0a567f61b966636a4bfbd7e88858e02999d55f6c4840149343fbb1ce9728f5b34fe019e9603c4ac

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
ac3c4670bc125478479f3bfe485dbaec

SHA1
f99ee08e3585c2c6bbb14093ba07d980004a202d

SHA256
2370394792dc4eefbf78ec754d688a011d39a864de46b78a4f06bb5e8acb81ef

SHA512
14c27d50033b2aa489f3948e4bd91545ad892c43310d19ca0601dbb9400362f4d514abc16350e0a990f8d915fbb3ce6d229de38e1328db761c5a940ceeee1ae8

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
5b21724fd8226cd2ba0532d555135d71

SHA1
a0beb1fc15af9f02d1d8354cb804f286aa4a9498

SHA256
f2d8505e24934f5362d41af7a44c7b447d1e699873f6100e85a60ffd73ce47a4

SHA512
3f49ebb488f9ae833b334dbf8a59c7ea639f499cce56b88f2d1482413752d1d033d807d5a0121e5d05a16fe3bf2506e08b8dff3feead7756e9e9ca57b315d816

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
2b29d67d62758fcc09f40ee1aa515cd5

SHA1
c39b5a07b7a3737dd335589af7394b58af6df0fb

SHA256
7ed54d4dde72df7c59493bd1fc6327db99a5c0bbeae9525762517a244c50e5e3

SHA512
89a502c47fddc43bc61d9fdbe13df5a89e4e47908c2ee43b43f3a0b672c796bcf8f6b7360f711dbf40fc70b2a56483ea258b7d69dd508d197831a8170d64eb97

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
688323a1a509fe0aeb3f4a7f97bdb188

SHA1
74e2fab5ec7e151c8829a95782e75c26d5ee5951

SHA256
d6a5189951956d57ebf752c2cdc5f1a9ec405eb1b1e8fbcc105770a3a645b6e5

SHA512
5abc6d962f5b5a3f090f5b624fa1f6d1736e641b8d81a8cf436ac1bd29d28d945bc84b213458b8668f2e9269beee880abf773a0697bc8a369d7a15555e7a3c39

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
662561cbbd666dd8f6174865388d7018

SHA1
03948005a7df7c09b20a80c8854fdd739816462e

SHA256
66c3afc1c3f35610c1b5ba6a106544c4bdd2542395d4eee6ae7d1d5274d9b50d

SHA512
36b84c371e52c099dc3a493a2d13ef1a768b8e984e8d65d0d2ef2363842ea433dc948a92015b92b5346fd30b66bf4639ada4968ea9d09a300471c39360a63dca

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
6537ad9a7806fdf1d389b9a7efd33302

SHA1
32dc3fa36fbe7ff6074a192f1e7584b4720759b0

SHA256
4ba50c111c0981309b6cded18e0dc2fb67c2b3700963767fe543dfed165f7d01

SHA512
3221751c754ac36466392a4cff03f84cac550a6de3d12b1b8a4036cdbb63cae649a47b4a3169794ca293162b594a8ef969df2f2bf2dcc54ead5fee1fc7fbcb97

Download Submit
memory/292-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1436-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1512-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1852-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2980-154-0x0000000002530000-0x000000000255F000-memory.dmp

Filesize
188KB

Download
memory/2980-108-0x0000000002530000-0x000000000255F000-memory.dmp

Filesize
188KB

Download
memory/2980-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2980-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2980-182-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3036-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download