acb398338145f18f11ebb57b8a3480369f0a9838cab3b2b6e5befa2a76d75c20

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4467692df3f5ba1aff4f51d021a5f5a0N.exe
Size

63KB
MD5

4467692df3f5ba1aff4f51d021a5f5a0
SHA1

658810d6c85ca812be6be2b4001d6aeeab8d6c1d
SHA256

acb398338145f18f11ebb57b8a3480369f0a9838cab3b2b6e5befa2a76d75c20
SHA512

16670cbbd831ea7d011db0f3c3984dfcf46504981fde029a5a970a992b5fd7ed1af467492eedc73e2be9e93adf880d3500b3d6d49a7f9b30ab58ce1374e237df
SSDEEP

768:jSxam3Usjr3REXXr8yxFChMp7v9DLKrzCnbcuyD7UVeQI5noPNcAvcV4RP0U+t6:jRsjdEIUFC2p79OCnouy8VDaAG4RsfU

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	4467692df3f5ba1aff4f51d021a5f5a0N.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4467692df3f5ba1aff4f51d021a5f5a0N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4467692df3f5ba1aff4f51d021a5f5a0N.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4467692df3f5ba1aff4f51d021a5f5a0N.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2684	xk.exe
2076	IExplorer.exe
572	WINLOGON.EXE
2916	CSRSS.EXE
2828	SERVICES.EXE
796	LSASS.EXE
1892	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe
2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe
2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe
2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe
2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe
2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe
2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe
2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe
2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe
2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe
2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe
2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4467692df3f5ba1aff4f51d021a5f5a0N.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2548-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000600000001932a-8.dat	upx
behavioral1/memory/2684-112-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00070000000194f6-109.dat	upx
behavioral1/files/0x000500000001a41d-115.dat	upx
behavioral1/memory/2076-126-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2684-118-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2076-130-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001a455-131.dat	upx
behavioral1/memory/572-140-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001a477-141.dat	upx
behavioral1/memory/2916-150-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2548-153-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2828-161-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001a486-162.dat	upx
behavioral1/memory/796-174-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001a48a-175.dat	upx
behavioral1/memory/2548-187-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1892-186-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	4467692df3f5ba1aff4f51d021a5f5a0N.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mig2.scr	4467692df3f5ba1aff4f51d021a5f5a0N.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	4467692df3f5ba1aff4f51d021a5f5a0N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	4467692df3f5ba1aff4f51d021a5f5a0N.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	4467692df3f5ba1aff4f51d021a5f5a0N.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	4467692df3f5ba1aff4f51d021a5f5a0N.exe
File created	C:\Windows\SysWOW64\shell.exe	4467692df3f5ba1aff4f51d021a5f5a0N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	4467692df3f5ba1aff4f51d021a5f5a0N.exe
File created	C:\Windows\xk.exe	4467692df3f5ba1aff4f51d021a5f5a0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4467692df3f5ba1aff4f51d021a5f5a0N.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	4467692df3f5ba1aff4f51d021a5f5a0N.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4467692df3f5ba1aff4f51d021a5f5a0N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe
2684	xk.exe
2076	IExplorer.exe
572	WINLOGON.EXE
2916	CSRSS.EXE
2828	SERVICES.EXE
796	LSASS.EXE
1892	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2684	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	30
PID 2548 wrote to memory of 2684	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	30
PID 2548 wrote to memory of 2684	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	30
PID 2548 wrote to memory of 2684	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	30
PID 2548 wrote to memory of 2076	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	31
PID 2548 wrote to memory of 2076	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	31
PID 2548 wrote to memory of 2076	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	31
PID 2548 wrote to memory of 2076	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	31
PID 2548 wrote to memory of 572	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	32
PID 2548 wrote to memory of 572	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	32
PID 2548 wrote to memory of 572	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	32
PID 2548 wrote to memory of 572	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	32
PID 2548 wrote to memory of 2916	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	33
PID 2548 wrote to memory of 2916	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	33
PID 2548 wrote to memory of 2916	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	33
PID 2548 wrote to memory of 2916	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	33
PID 2548 wrote to memory of 2828	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	34
PID 2548 wrote to memory of 2828	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	34
PID 2548 wrote to memory of 2828	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	34
PID 2548 wrote to memory of 2828	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	34
PID 2548 wrote to memory of 796	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	35
PID 2548 wrote to memory of 796	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	35
PID 2548 wrote to memory of 796	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	35
PID 2548 wrote to memory of 796	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	35
PID 2548 wrote to memory of 1892	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	36
PID 2548 wrote to memory of 1892	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	36
PID 2548 wrote to memory of 1892	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	36
PID 2548 wrote to memory of 1892	2548	4467692df3f5ba1aff4f51d021a5f5a0N.exe	36

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4467692df3f5ba1aff4f51d021a5f5a0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4467692df3f5ba1aff4f51d021a5f5a0N.exe

C:\Users\Admin\AppData\Local\Temp\4467692df3f5ba1aff4f51d021a5f5a0N.exe
"C:\Users\Admin\AppData\Local\Temp\4467692df3f5ba1aff4f51d021a5f5a0N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2548
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2684
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2076
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:572
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2916
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2828
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:796
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
63KB

MD5
4467692df3f5ba1aff4f51d021a5f5a0

SHA1
658810d6c85ca812be6be2b4001d6aeeab8d6c1d

SHA256
acb398338145f18f11ebb57b8a3480369f0a9838cab3b2b6e5befa2a76d75c20

SHA512
16670cbbd831ea7d011db0f3c3984dfcf46504981fde029a5a970a992b5fd7ed1af467492eedc73e2be9e93adf880d3500b3d6d49a7f9b30ab58ce1374e237df

Download Submit
C:\Windows\xk.exe

Filesize
63KB

MD5
b506d1444c313cf799de4a82243eb92d

SHA1
e8f54bf73aea78b81695d0216042200e352da294

SHA256
1ce6b4590d346bdc9caed2c12cca981d45d5423398ee637805ec769ca880d38a

SHA512
ce3be81db247012e8c614af2aa080b74ca9499f950868e7628d1cb1ca87f394a1ad83c5e381236ae0d977450a26627513f5c470161fccb93542852c702d4c9ec

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
63KB

MD5
adb2dd2b9701a44c79c822fe153897d2

SHA1
005d9e16d8a4bad9c46d71e80797bb137ec8eb64

SHA256
9c2e42c24419f9b64bd693fddc471759da7d888f2ac542ada87ba6481eeae92d

SHA512
2b1daab87e47b5b616a22ea72cd6edfe8365bfff5f3cb9716ca90e922a5e1ef66c955cf377be990fe50d9949fddc46d3fd425bd2da1d251863b760107f661c99

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
63KB

MD5
0c6158e24266914c2efb661c2cfc52a6

SHA1
375205433cbaf03bedbf25a521115969bb605210

SHA256
81a778191d5827bee8f75f489abb0d8fa4cda3b3782f5aa71cf77736552d50b4

SHA512
cd8dd126174f6a7e385b72c79f4a0b5764477c0c2ca356c11847d29a5d30a522dfe0a25c458410252a92039539de4d21416a9f92ad5c32bc3b1e18b52645d11e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
63KB

MD5
130e653508e395981c018d42dd156f19

SHA1
2f2656c2d1c3b2c96d07527c2ef4b025b0f84367

SHA256
37c05b2273ed88df9d1d52f872ac81567dceded72ab63b411ddeb902e64110d5

SHA512
58be7c2b1c27e798835059161a09f67392534d74aed7838403f06f160dc23fa7a0cfb81d68e00eb0878af87091381c8b42e41ab97cba46058d1e28fa8e3d7cf1

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
63KB

MD5
ea4b38afe7e0bf1287c24f61a47b5934

SHA1
6124c993ef0c10a9817a1ed91302bd9c52865795

SHA256
d4f63c9a9682210abd50c76e42db0f94c8f7c80e88e63cf8b485fafa101e740b

SHA512
c334e0ba572f097d51f9b5a4176cd58b9a345c3625218c3f6c63f1696c43010770fca918920a2eb76c87e6976f4277d1b0fc950c64c5c56394b8978957181daf

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
63KB

MD5
5a13edb04c61f5b688c694647289c431

SHA1
97ec5de19c2190cdd7be99282b4b98549416022e

SHA256
f8b37a6d20391cbbd1754b683cffd6fa20759c04ebda13ed6463b986e002b9e6

SHA512
01570d2d6e20bcc91d1ece735281acfb71b2601847c8fdf9adfc0b8199eb6a7d420bc1c1fe6e0f493c74aaff54f90ecd8abfb3e96d082b1892d9fcbf01f0c233

Download Submit
memory/572-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/796-174-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1892-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2076-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2076-130-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-111-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2548-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-110-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2548-153-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-169-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2548-168-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2548-124-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2548-187-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-125-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2684-118-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2684-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-161-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download