6e55b7243ffc05fcf2bee4eec02070aff5823965163d380eeef7081de60f3ac5

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 23:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4e5f1c500f5deef7de4db6ad633baaa0N.exe
Size

91KB
MD5

4e5f1c500f5deef7de4db6ad633baaa0
SHA1

ed59000106e0ba547495c73a1a0a5d07229ae74d
SHA256

6e55b7243ffc05fcf2bee4eec02070aff5823965163d380eeef7081de60f3ac5
SHA512

a79ea823f4619fbdced4e7622614fc37c670a720c73918ab97f54639a13bda5e8ca8f1e09f1cbcefd5217a8cd8681d921627a197de545534e05cced3c6ecc598
SSDEEP

1536:XJRtlEnBHHIgabuYotV/JbJCX5SBiFJRtlEnBHHIgabuYotV/JbJCX5SBiE:XvtYxOuYotvYQIFvtYxOuYotvYQIE

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	4e5f1c500f5deef7de4db6ad633baaa0N.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4e5f1c500f5deef7de4db6ad633baaa0N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4e5f1c500f5deef7de4db6ad633baaa0N.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4e5f1c500f5deef7de4db6ad633baaa0N.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2076	xk.exe
2020	IExplorer.exe
2568	WINLOGON.EXE
2984	CSRSS.EXE
2804	SERVICES.EXE
2112	LSASS.EXE
1432	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe
2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe
2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe
2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe
2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe
2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe
2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe
2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe
2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe
2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe
2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe
2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4e5f1c500f5deef7de4db6ad633baaa0N.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2736-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000016d4a-8.dat	upx
behavioral1/files/0x0007000000016d65-108.dat	upx
behavioral1/memory/2076-114-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001870f-113.dat	upx
behavioral1/memory/2020-123-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2568-132-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000018bc8-131.dat	upx
behavioral1/memory/2568-136-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00050000000191dc-144.dat	upx
behavioral1/memory/2736-139-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2984-147-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00050000000191f1-148.dat	upx
behavioral1/memory/2804-155-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2804-159-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019244-160.dat	upx
behavioral1/files/0x000500000001924a-170.dat	upx
behavioral1/memory/2112-169-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1432-180-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2736-181-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	4e5f1c500f5deef7de4db6ad633baaa0N.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IExplorer.exe	4e5f1c500f5deef7de4db6ad633baaa0N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	4e5f1c500f5deef7de4db6ad633baaa0N.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	4e5f1c500f5deef7de4db6ad633baaa0N.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	4e5f1c500f5deef7de4db6ad633baaa0N.exe
File created	C:\Windows\SysWOW64\shell.exe	4e5f1c500f5deef7de4db6ad633baaa0N.exe
File created	C:\Windows\SysWOW64\Mig2.scr	4e5f1c500f5deef7de4db6ad633baaa0N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	4e5f1c500f5deef7de4db6ad633baaa0N.exe
File created	C:\Windows\xk.exe	4e5f1c500f5deef7de4db6ad633baaa0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	4e5f1c500f5deef7de4db6ad633baaa0N.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4e5f1c500f5deef7de4db6ad633baaa0N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe
2076	xk.exe
2020	IExplorer.exe
2568	WINLOGON.EXE
2984	CSRSS.EXE
2804	SERVICES.EXE
2112	LSASS.EXE
1432	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2076	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	30
PID 2736 wrote to memory of 2076	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	30
PID 2736 wrote to memory of 2076	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	30
PID 2736 wrote to memory of 2076	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	30
PID 2736 wrote to memory of 2020	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	31
PID 2736 wrote to memory of 2020	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	31
PID 2736 wrote to memory of 2020	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	31
PID 2736 wrote to memory of 2020	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	31
PID 2736 wrote to memory of 2568	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	32
PID 2736 wrote to memory of 2568	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	32
PID 2736 wrote to memory of 2568	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	32
PID 2736 wrote to memory of 2568	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	32
PID 2736 wrote to memory of 2984	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	33
PID 2736 wrote to memory of 2984	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	33
PID 2736 wrote to memory of 2984	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	33
PID 2736 wrote to memory of 2984	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	33
PID 2736 wrote to memory of 2804	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	34
PID 2736 wrote to memory of 2804	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	34
PID 2736 wrote to memory of 2804	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	34
PID 2736 wrote to memory of 2804	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	34
PID 2736 wrote to memory of 2112	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	35
PID 2736 wrote to memory of 2112	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	35
PID 2736 wrote to memory of 2112	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	35
PID 2736 wrote to memory of 2112	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	35
PID 2736 wrote to memory of 1432	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	36
PID 2736 wrote to memory of 1432	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	36
PID 2736 wrote to memory of 1432	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	36
PID 2736 wrote to memory of 1432	2736	4e5f1c500f5deef7de4db6ad633baaa0N.exe	36

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4e5f1c500f5deef7de4db6ad633baaa0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4e5f1c500f5deef7de4db6ad633baaa0N.exe

C:\Users\Admin\AppData\Local\Temp\4e5f1c500f5deef7de4db6ad633baaa0N.exe
"C:\Users\Admin\AppData\Local\Temp\4e5f1c500f5deef7de4db6ad633baaa0N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2736
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2076
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2020
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2568
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2984
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2804
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2112
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
5e51e78cc7e9c7ebc8e5b51c8a7ba095

SHA1
63cdd6aa1c115f879aef76120e13c5a968f68048

SHA256
948bfee4a67edf06d6a544b79c60914cb06abfe29da4418648f5b796c880e4c1

SHA512
69c594547a89b8f9d83de3a38f1c61956dddb9ad5d6765fb816cddd8753e2503bd73e4bf1658364e12f30eed0f21193e1b5505d57776cfc2416a140f295e5f17

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
7c3e50597cc0e351c5ad1078d2f5d256

SHA1
fa31eed95679624b3a26572ebbe6f66e9dcec0c3

SHA256
d5e8c1b2486201290b77faacf170eaa2d609f275117f51fecf8ffaedf9160490

SHA512
a1b612b18f27652c5e73e746869931eba51efeb5019674dd01ce40f2bed73b4760e859b00e867a08b7339f091c8c404161767dd38bac00ff4b9b98341b9e6a55

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
91KB

MD5
4e5f1c500f5deef7de4db6ad633baaa0

SHA1
ed59000106e0ba547495c73a1a0a5d07229ae74d

SHA256
6e55b7243ffc05fcf2bee4eec02070aff5823965163d380eeef7081de60f3ac5

SHA512
a79ea823f4619fbdced4e7622614fc37c670a720c73918ab97f54639a13bda5e8ca8f1e09f1cbcefd5217a8cd8681d921627a197de545534e05cced3c6ecc598

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
e00e4fcd21854173caea0172853703d6

SHA1
918507a0080033044cb1a3d461fb4adcd168994d

SHA256
a0caa8beebb3fece1cc7e2acaa6b9359511b349b22fb8b8d48fa057ea3885e9f

SHA512
798fd9c8d6bff387a562eb8ccf3ec13fbcf9d51f921fd2991da748834706cfbf8a19715536f75615c66af42847761b7248e5f7dfd33cdd035740f4160a9de25e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
21e4b78341776d493ffb49cb7a33e2d7

SHA1
474a940379aa539825841af5cc8deef60b489824

SHA256
b256ef7b9e2d138c7ba8d7d0f667b0957d69eb610f24297bf431eed067ee1db3

SHA512
2815065562e80cd303fd60ec50c8c94c131c6deaa246c198ed38612ba6a112fe2692ee7fbd2464ad8198f6252dbf7d1614403e4f7cd64b6f61278fb5911ca8c2

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
8e8b4717e9598164ef38c6dd90fe7df6

SHA1
71641b538175a9990297d3b4292ddf7cbd64c05d

SHA256
fc98b823f18007f09a8de56cc4ece928d5782aed8757757261ffd0d3188bc69e

SHA512
1d4898fe1e5534af172a6a4421cad5eb4f7e996dc27cae95c0de4c17c60bf424d7214243108cd273a34274ddebc2582f9e2081d867099c506f1f638b6e57de71

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
38c97f01f1669fbd015f0cdfa100be0d

SHA1
94b31cff0861b41f9c5227a82e53f6f65a5e2e09

SHA256
bc36e82e216149d323bda1efa32f4266593cf4502c57aef16e032a14e50e84c0

SHA512
c33812926dd016687cbbdad0a0fa3eda1877393d222b20b3a984bf44c19df0270fce0f4bcbb985089854d4ffbd5d37f10a73c5a96587c36810585d53d77d3582

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
7d01d1e076fc7a1c8a1e4b10a9baf70c

SHA1
7f0b6f5ce344b2f7f0100c9fc3ea6db5b724e327

SHA256
7679eb678661ee0a086a0141f7dec9c07f7ca7f374f9a5d60f2a39d981d01035

SHA512
30cea15a0c9c607efa3d0c4486612f9d0cff674e3dbe6acad648f96bcea492cb71810a6d4444f145791671d8569ca491bb424d2945a3f8b169f1b71a8354aa9b

Download Submit
memory/1432-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2076-114-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2112-169-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-132-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-130-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2736-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-109-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2736-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2804-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2804-159-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download