7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Size

91KB
MD5

d4e3a1c5fa51c8ed920e30b49c83a170
SHA1

36e0a4970e5c59e4765f0ac08808195083355e63
SHA256

7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573
SHA512

e7eb352ca0124c44615eb1efe1f4162de4b2997ecc1769bf40f68f46cb4ad28ba4ac899b273a61598e1291afcbe4a7e4e8ec7f36b64527bbdd6762536045c56c
SSDEEP

1536:zAwEmBZ04faWmtN4nic+6G0AwEmBZ04faWmtN4nic+6G9:zGms4Eton00Gms4Eton09

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2800	xk.exe
2676	IExplorer.exe
1048	WINLOGON.EXE
1532	CSRSS.EXE
320	SERVICES.EXE
2880	LSASS.EXE
2972	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IExplorer.exe	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
File created	C:\Windows\SysWOW64\shell.exe	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
File created	C:\Windows\SysWOW64\Mig2.scr	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
File created	C:\Windows\xk.exe	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
2800	xk.exe
2676	IExplorer.exe
1048	WINLOGON.EXE
1532	CSRSS.EXE
320	SERVICES.EXE
2880	LSASS.EXE
2972	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2800	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	30
PID 2068 wrote to memory of 2800	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	30
PID 2068 wrote to memory of 2800	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	30
PID 2068 wrote to memory of 2800	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	30
PID 2068 wrote to memory of 2676	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	31
PID 2068 wrote to memory of 2676	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	31
PID 2068 wrote to memory of 2676	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	31
PID 2068 wrote to memory of 2676	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	31
PID 2068 wrote to memory of 1048	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	32
PID 2068 wrote to memory of 1048	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	32
PID 2068 wrote to memory of 1048	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	32
PID 2068 wrote to memory of 1048	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	32
PID 2068 wrote to memory of 1532	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	33
PID 2068 wrote to memory of 1532	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	33
PID 2068 wrote to memory of 1532	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	33
PID 2068 wrote to memory of 1532	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	33
PID 2068 wrote to memory of 320	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	34
PID 2068 wrote to memory of 320	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	34
PID 2068 wrote to memory of 320	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	34
PID 2068 wrote to memory of 320	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	34
PID 2068 wrote to memory of 2880	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	35
PID 2068 wrote to memory of 2880	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	35
PID 2068 wrote to memory of 2880	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	35
PID 2068 wrote to memory of 2880	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	35
PID 2068 wrote to memory of 2972	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	36
PID 2068 wrote to memory of 2972	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	36
PID 2068 wrote to memory of 2972	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	36
PID 2068 wrote to memory of 2972	2068	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe	36

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe

C:\Users\Admin\AppData\Local\Temp\7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe
"C:\Users\Admin\AppData\Local\Temp\7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2068
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2800
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2676
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1048
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1532
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:320
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2880
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
d4e3a1c5fa51c8ed920e30b49c83a170

SHA1
36e0a4970e5c59e4765f0ac08808195083355e63

SHA256
7738e5dfb254fbf00fc02880dc07584054cb15a5f5ac52973a8666b192332573

SHA512
e7eb352ca0124c44615eb1efe1f4162de4b2997ecc1769bf40f68f46cb4ad28ba4ac899b273a61598e1291afcbe4a7e4e8ec7f36b64527bbdd6762536045c56c

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
d6fc4b87483fdb802eba73071aed8071

SHA1
f9c4a32717aba92f519900a420ebd3f2932d417f

SHA256
332ccc63a9a6a9faa2c07bbc8f39163fa5de8c45daa891fdd47ee26e219b09bf

SHA512
c545bbe79f2a6cd5fca8bf44bcb892fa2e0a97e791740c97900f2db69697ed1ff5d607a8a2ab6d0725334212231745c59bd993bd4ea9db5d93712e9fc4cfa643

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
0864e847aef79bd27491218971c2d445

SHA1
e845ca3d073cac4838d79e02968dcc482c0ac8a5

SHA256
373e5eef16025c6d96000c184a0b106b3158a60c88b4e3978febfdf2b1fa9e83

SHA512
b2f435c8f0ff4097ab85e29307b0a218660cae352fe580987f6209c40df3a593f80e2654691a5322ef132c58d128db71ff8d7a2e0de986b5124440342abb4f90

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
eb813a83b55ad4eca2f82c26ce8d231f

SHA1
6edb88ce5dc3a922b0656e547b8f000b5cbc7451

SHA256
3fd52d0eca57633a27df7523dbd8c4d0d6c2151a2b3946803e6c86d9f41e9c85

SHA512
d7f46c1bcd24f4322c69c6c60fe2976388df99d15e2d5021ce391e3d98b1f3ee8919496584cbb51184aee8d0ea9be643d25b49a797069a9b430514c17f10b4a2

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
f365fa869ab8fd61aba9b8941bdb71e1

SHA1
d7cff0498b46bcb241fcb26fad428bc15a78612b

SHA256
46251bcbe82eb5f14424ddf630bb0be0b4ef6ec918127e8ffe382376438b1e42

SHA512
9cb628831ad37c0a3346e7112a57522abbfa2186ff5475eb23e68990310b006930cfd89739f6922fb483074b706b67d8e7e9b0bec78a39aa229a4877342b9d06

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
e94f172a304c09590592dff24c70fa27

SHA1
dec9066df83d169d7698de4a7a18639d4174c968

SHA256
94475a9da015a731f0bbb7e90487eac27a9dfffdb8ec850b61555e29f21d83ac

SHA512
ee2b6dc7e8be7fd00532834c58f099651245f12a8f919e1fc9dff90357b0d3b753adae2319d8568124627b9c0bdc09cee3bbc655b624e14981e9ba8c3ad8d389

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
e8d51a9715c7bf0c1d701e5277b00337

SHA1
4f5023f70d9515e8b31b1187cbb678460d3613d6

SHA256
ff10b876f1ed0efaa0b264e0157bd194c9685dce1432680cc39defd1a26d7247

SHA512
feb494daeddf4b00e5f158b1cd7c4215f17732636840cd339cfbdea818a1ca46440754eed4ee89e1f559317024bb0eeb7b6f5b8ea2a71eb8717ce10e68fed019

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
9f287db143cb33250e6ed6f2c06ead7f

SHA1
18d477e98956f21464eaa4b905695e631732c7fe

SHA256
3b841935bcd68a52490cc4de5b7272ffaee4d05c2dabfbae572bf053b3e721f9

SHA512
5ddb0ec9b34886df495c28c4e674f33895e63e6accbd2cf5f8230ca0b3650c13124877307b45572868ce4de1cab060a266e241ac59aca3de36e8afb2b60cee20

Download Submit
memory/320-164-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1048-141-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1532-154-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2068-124-0x00000000030B0000-0x00000000030DE000-memory.dmp

Filesize
184KB

Download
memory/2068-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2068-134-0x00000000030B0000-0x00000000030DE000-memory.dmp

Filesize
184KB

Download
memory/2068-190-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2068-149-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2068-148-0x00000000030B0000-0x00000000030DE000-memory.dmp

Filesize
184KB

Download
memory/2068-118-0x00000000030B0000-0x00000000030DE000-memory.dmp

Filesize
184KB

Download
memory/2068-111-0x00000000030B0000-0x00000000030DE000-memory.dmp

Filesize
184KB

Download
memory/2068-171-0x00000000030B0000-0x00000000030DE000-memory.dmp

Filesize
184KB

Download
memory/2068-110-0x00000000030B0000-0x00000000030DE000-memory.dmp

Filesize
184KB

Download
memory/2068-172-0x00000000030B0000-0x00000000030DE000-memory.dmp

Filesize
184KB

Download
memory/2676-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2676-137-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2800-117-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2880-177-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2972-189-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download