fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/09/2024, 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Size

91KB
MD5

3eaf8b7ea476ae26323ed3333383ad2f
SHA1

57e394fc84a3d3d70a58db1f2760280ee9048e2f
SHA256

fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54
SHA512

e1a280bed7cef19988cb4c1517c185ae7328855a728f35f68de8419e6ee5a16b8770f29a951f5706c95d81f60c4fcc9692220e2d8cacfabc284cdfd950c9b3c9
SSDEEP

1536:XJRtlEnBHHIgabuYotV/JbJCX5SBiBJRtlEnBHHIgabuYotV/JbJCX5SBiE:XvtYxOuYotvYQIBvtYxOuYotvYQIE

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2668	xk.exe
2164	IExplorer.exe
1784	WINLOGON.EXE
1152	CSRSS.EXE
2940	SERVICES.EXE
2948	LSASS.EXE
772	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1924-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000015f71-8.dat	upx
behavioral1/files/0x0007000000016d2e-111.dat	upx
behavioral1/memory/2668-112-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d4f-117.dat	upx
behavioral1/memory/2164-125-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2668-123-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d69-130.dat	upx
behavioral1/memory/2164-135-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d6d-144.dat	upx
behavioral1/memory/1784-141-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1924-149-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016d72-160.dat	upx
behavioral1/memory/1152-155-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016dd9-171.dat	upx
behavioral1/memory/2940-170-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016de0-177.dat	upx
behavioral1/memory/2948-176-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1924-190-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/772-188-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell.exe	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
File created	C:\Windows\SysWOW64\Mig2.scr	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
File created	C:\Windows\xk.exe	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
2668	xk.exe
2164	IExplorer.exe
1784	WINLOGON.EXE
1152	CSRSS.EXE
2940	SERVICES.EXE
2948	LSASS.EXE
772	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2668	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	30
PID 1924 wrote to memory of 2668	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	30
PID 1924 wrote to memory of 2668	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	30
PID 1924 wrote to memory of 2668	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	30
PID 1924 wrote to memory of 2164	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	31
PID 1924 wrote to memory of 2164	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	31
PID 1924 wrote to memory of 2164	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	31
PID 1924 wrote to memory of 2164	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	31
PID 1924 wrote to memory of 1784	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	32
PID 1924 wrote to memory of 1784	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	32
PID 1924 wrote to memory of 1784	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	32
PID 1924 wrote to memory of 1784	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	32
PID 1924 wrote to memory of 1152	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	33
PID 1924 wrote to memory of 1152	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	33
PID 1924 wrote to memory of 1152	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	33
PID 1924 wrote to memory of 1152	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	33
PID 1924 wrote to memory of 2940	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	34
PID 1924 wrote to memory of 2940	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	34
PID 1924 wrote to memory of 2940	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	34
PID 1924 wrote to memory of 2940	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	34
PID 1924 wrote to memory of 2948	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	35
PID 1924 wrote to memory of 2948	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	35
PID 1924 wrote to memory of 2948	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	35
PID 1924 wrote to memory of 2948	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	35
PID 1924 wrote to memory of 772	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	36
PID 1924 wrote to memory of 772	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	36
PID 1924 wrote to memory of 772	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	36
PID 1924 wrote to memory of 772	1924	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe	36

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe

C:\Users\Admin\AppData\Local\Temp\fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe
"C:\Users\Admin\AppData\Local\Temp\fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1924
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2668
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2164
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1784
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1152
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2940
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2948
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
efadeff9131f76076a13dcb235af0d30

SHA1
73299f58a4157db9fd02e948d0f10877451b33f9

SHA256
dc98a35c91e9a5f1c01e4610c7d30757134d78d1b4cdc763f68fc504b432155e

SHA512
804fb38aee91cc7752302227e0903a6a73aaa90d1a76f84ed7aa02488c2f7fa6df32a7b392d33ad5ea7eb87804288e08703baf418278fbefdc0a627069b4defb

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
9989b853aa5a5b1590304018f6849fb4

SHA1
d8181dc831568a90aeaab574464a8e88ad9340f1

SHA256
1f1656e7a88079756bc870c197c64f2f4ac24878e566cf83f0e5255a3c5f5243

SHA512
27c91c0c4927e01000e60cb7473d5799a3c4be31f6bdf480863692283819d4970f1f53bd834a5d4e26c431563918ac1c661fa4157adbe4b4b93ced43c1b4911a

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
3eaf8b7ea476ae26323ed3333383ad2f

SHA1
57e394fc84a3d3d70a58db1f2760280ee9048e2f

SHA256
fff6d217c4eb3d61047a8ff36fa40d48c88ba36206171d0f09b7e3f784dafb54

SHA512
e1a280bed7cef19988cb4c1517c185ae7328855a728f35f68de8419e6ee5a16b8770f29a951f5706c95d81f60c4fcc9692220e2d8cacfabc284cdfd950c9b3c9

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
33267445f07449106782cc622b45f20b

SHA1
6e7aa67999694aca7c8b8f31d1b52f58722157df

SHA256
52bb5dc70848b6a60a57542eb9cc149fa187ad333427c4de7ea405f180bc0475

SHA512
c34df3d2a78e8b85d8e2d1c4440055822376b602790f557e8a6d28a40c887d00fecf73e2d8c769953837d2b4645408a6d097f1bf538f25f9a702779abd7f9496

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
53af78369dcc3f4c3b2c14bd1cedd896

SHA1
2295abcf7c240bc8bb02abf75c1eabfd9849984c

SHA256
77f36e6795b9a470dd8b2cd1fe0407992d43fad6898dfca269cfdf776407c861

SHA512
ebec093ed2fcbccdcc9d989f4a5fbdf6317ecbefe03f6a5d5c077c38fa26315beef506a2a8f6ce24ce206d9c814e49f26c3ba8b25e771d77ecc3782cdd52b354

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
e8a2dd69912eaa9757cb481715be751d

SHA1
42eb2805396356c8d6eac27dd3ffee385e4dc885

SHA256
5abf53d06f2467fe7fbc784065111240ace239cbfb27b38b27f3b66d5c74e8fd

SHA512
0834672580e969fb9ec7084b2a7b849f6b3e85679bf1c31ca8260e27a211e25b3131b654016e46fed0ab5bfc35c36ccf0e30804c1306d57d261c0a4f87db7e90

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
a49ee5c28beac75ec4d9d23f4f1b5438

SHA1
e30d7add247112da70f797860be636e170222d7f

SHA256
48577eab8e4e20f5bd35948c86484401fdf3dee38d4395f725ff02013ddd6d3b

SHA512
c31b06feca6e012723d3ed155b2dbe7d65e452cb4188eeddcc0c40fb364849641db284f54dbb952e97baa7c12124bf9e222f161fa4cebe952f9754b913dfa6b3

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
5c3e91d31c8387ec02e7b6c3bbeb4054

SHA1
5ebfad0808cf6945dd53c245953332a216bfd487

SHA256
6baa698aae9ffa8c5232f9627cf9e5fc5b3c9d9f95cfb02670ac8df792076078

SHA512
757f2d817d27f346d728d4232d8da61f79741223a2abe93517ad558ab64f6df9487e9269a1e640924794de184a1c963ffefbcf316a46d9f1ade30086a0f0b963

Download Submit
memory/772-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1152-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1784-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-109-0x0000000002850000-0x000000000287F000-memory.dmp

Filesize
188KB

Download
memory/1924-190-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-124-0x0000000002850000-0x000000000287F000-memory.dmp

Filesize
188KB

Download
memory/1924-138-0x0000000002850000-0x000000000287F000-memory.dmp

Filesize
188KB

Download
memory/1924-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-137-0x0000000002850000-0x000000000287F000-memory.dmp

Filesize
188KB

Download
memory/1924-184-0x0000000002850000-0x000000000287F000-memory.dmp

Filesize
188KB

Download
memory/1924-172-0x0000000002850000-0x000000000287F000-memory.dmp

Filesize
188KB

Download
memory/1924-110-0x0000000002850000-0x000000000287F000-memory.dmp

Filesize
188KB

Download
memory/2164-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2940-170-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2948-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download