f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Size

91KB
MD5

af90cf445fd9666a30271f431e4934c0
SHA1

1be90f45f3fb6a0b10ad23a51f0e6552791475d1
SHA256

f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40
SHA512

a713ea79d38bf0050a74e4076ff8478e926c4203616c9ef9ff6eab2ece795177d0df1e45bcd1e02fb81a5798baf341b81204ab9f25bb5db87f8dc2d9160cf9bc
SSDEEP

1536:FAwEmBGz1lNNqDaG0PoxhlzmUAwEmBGz1lNNqDaG0Poxhlzm3:FGmUXNQDaG0A8UGmUXNQDaG0A83

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2344	xk.exe
1872	IExplorer.exe
2436	WINLOGON.EXE
2856	CSRSS.EXE
2884	SERVICES.EXE
784	LSASS.EXE
1208	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
File created	C:\Windows\SysWOW64\shell.exe	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
File created	C:\Windows\SysWOW64\Mig2.scr	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
File created	C:\Windows\xk.exe	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
2344	xk.exe
1872	IExplorer.exe
2436	WINLOGON.EXE
2856	CSRSS.EXE
2884	SERVICES.EXE
784	LSASS.EXE
1208	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2344	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	30
PID 1744 wrote to memory of 2344	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	30
PID 1744 wrote to memory of 2344	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	30
PID 1744 wrote to memory of 2344	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	30
PID 1744 wrote to memory of 1872	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	31
PID 1744 wrote to memory of 1872	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	31
PID 1744 wrote to memory of 1872	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	31
PID 1744 wrote to memory of 1872	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	31
PID 1744 wrote to memory of 2436	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	32
PID 1744 wrote to memory of 2436	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	32
PID 1744 wrote to memory of 2436	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	32
PID 1744 wrote to memory of 2436	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	32
PID 1744 wrote to memory of 2856	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	33
PID 1744 wrote to memory of 2856	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	33
PID 1744 wrote to memory of 2856	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	33
PID 1744 wrote to memory of 2856	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	33
PID 1744 wrote to memory of 2884	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	34
PID 1744 wrote to memory of 2884	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	34
PID 1744 wrote to memory of 2884	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	34
PID 1744 wrote to memory of 2884	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	34
PID 1744 wrote to memory of 784	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	35
PID 1744 wrote to memory of 784	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	35
PID 1744 wrote to memory of 784	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	35
PID 1744 wrote to memory of 784	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	35
PID 1744 wrote to memory of 1208	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	36
PID 1744 wrote to memory of 1208	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	36
PID 1744 wrote to memory of 1208	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	36
PID 1744 wrote to memory of 1208	1744	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe	36

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe

C:\Users\Admin\AppData\Local\Temp\f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe
"C:\Users\Admin\AppData\Local\Temp\f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1744
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2344
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1872
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2436
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2856
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2884
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:784
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
a35e982f98b9c1a02f4d6c811e43fa32

SHA1
64f2f887c968de16b0477bbe677ae0a517fd983f

SHA256
0767c8d243f05320a1ff303e21a6527bf31b3d7afc6c0ffc5a8fbd3da7bf7656

SHA512
d222e10a0e3982f3545dfb8f696de2d17b80bd8d682bdd899c65afe54586c9d7e10bc9ca96881785cc1057ce27959a59e867b089dca4e90f478cf3be48f8ed70

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
af90cf445fd9666a30271f431e4934c0

SHA1
1be90f45f3fb6a0b10ad23a51f0e6552791475d1

SHA256
f29d1821bc0049850121f7106184415474d719adea5d6ec0b3301212fcb05f40

SHA512
a713ea79d38bf0050a74e4076ff8478e926c4203616c9ef9ff6eab2ece795177d0df1e45bcd1e02fb81a5798baf341b81204ab9f25bb5db87f8dc2d9160cf9bc

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
bfc7633dbac1eba92be95e3d77042251

SHA1
7c2fca7f452b786b916770269fdd6803a01f053b

SHA256
bca3da9c928ba038262c1dbd03be55258b9d51f97f442290e9914872b3080b48

SHA512
eecef8d4f08436acf7a169090defeddeefab56f1be95667dfdce1fa6788383c8e993c9224e1d3d61edd31e683eb7634084ac3a4ab014a49c3057028224148a4e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
43c8dc5121cdd6e2c2d6560bc54e8c21

SHA1
b68a5e9f523b6f113a776a64d7268b23fd67f792

SHA256
112baeda48ee54140d245348ba7f1c0f3a147696795dcd59e6087f77f626680f

SHA512
88d9de35078fc75b8eff289e71ac179ad3e6cf60a2121258bcf959d4080ea6c58bcbf22f4e3925819944c993535312dc87d2d70e2b2009286f4f64e2ead43431

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
d0eedf0c3b23102c7c3d07e4f75569d3

SHA1
5946273b6092cba1fc5496965303fba00470fd11

SHA256
ecab1706fb3df2b6cd11f4e701266bd69b0533e274fd6793af58ebec1cf5def9

SHA512
b13387eed7f253ce2fda62e3ae2961df92f3f61d172aa9d9ef917f1430217baeee83a877625243693cd542265128be40a8eff48b9f0042e621e699100d301c43

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
e7b09a499c3e4fad53c3c85b1bfa3c79

SHA1
1fb02457ac32dbf2dc21ad0c8a4231f3cc011abe

SHA256
58a5173cc77db2ba5aead7544b7ce9a545c0fc6386d7e5247a153d13339a385e

SHA512
cccb85844a59eb934cfb7c9fc44f22483b432f5e9ccd310337cd66423e28b3cbcfa55b96844325f3b28ea6396ff95d531b8a0dc72cfd693c65c1f6df2d9c9be7

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
ba17166a06fc84469dbfe8c21074994d

SHA1
d6d256c5c3e38146e81ea36bebf5ceadc354259c

SHA256
a1f14b055b9ba19c898fd8cb26bc8ac5c8a34810d049a02b2e818184a80e0fcf

SHA512
3eb5f0d9df5b108c34a5d32474087900f63a198c464864bc2de5ee0ea4c24be141960b581a02f7499b96dad555c1fad10b1e977bf21c88dfa26405726f2fa849

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
3cdcfb42a04d3bd97444f62363b5d5ff

SHA1
e43522cb8425dc86da71eb327ac2378fd7b5037a

SHA256
406edf921b731150a64743201160aa3cb5de1811182fb233c5bdea6a26bb0a66

SHA512
059027a25ba13b8690d51f439f8afae3d05bb1f24f222dd48d0a6fb40f64a43baab34d19157212b187e4ecd524635641dcaedc992da4af96e5dab36f4cd1816f

Download Submit
memory/784-175-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1208-184-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1744-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1744-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1744-155-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/1744-168-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/1744-121-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/1744-106-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/1744-185-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1872-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2344-115-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2436-136-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2856-150-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2884-161-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2884-159-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download