3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406

Analysis

max time kernel
13s
max time network
21s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Size

91KB
MD5

c03138918027d2c28e7eeb956167e880
SHA1

a2b19416582fd4409b8b824993f1684b0112feba
SHA256

3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406
SHA512

adb5dd9636079f8cec7ab3546585d39e12ac3d929478a8e9a1eb7023f46b6e933054ab63b9e5ea4d86f96970d176eb023d0d35b1a7b7a3bc51bb9b1683d76c1a
SSDEEP

768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3Imu/3gRYjXbUeHORIC4ZO:uT3OA3+KQsxfS48T3OA3+KQsxfS4C

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2600	xk.exe
2248	IExplorer.exe
612	WINLOGON.EXE
1696	CSRSS.EXE
2376	SERVICES.EXE
2044	LSASS.EXE
1760	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell.exe	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
File created	C:\Windows\SysWOW64\Mig2.scr	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
File created	C:\Windows\xk.exe	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
2600	xk.exe
2248	IExplorer.exe
612	WINLOGON.EXE
1696	CSRSS.EXE
2376	SERVICES.EXE
2044	LSASS.EXE
1760	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2600	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	30
PID 2916 wrote to memory of 2600	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	30
PID 2916 wrote to memory of 2600	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	30
PID 2916 wrote to memory of 2600	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	30
PID 2916 wrote to memory of 2248	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	31
PID 2916 wrote to memory of 2248	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	31
PID 2916 wrote to memory of 2248	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	31
PID 2916 wrote to memory of 2248	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	31
PID 2916 wrote to memory of 612	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	32
PID 2916 wrote to memory of 612	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	32
PID 2916 wrote to memory of 612	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	32
PID 2916 wrote to memory of 612	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	32
PID 2916 wrote to memory of 1696	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	33
PID 2916 wrote to memory of 1696	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	33
PID 2916 wrote to memory of 1696	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	33
PID 2916 wrote to memory of 1696	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	33
PID 2916 wrote to memory of 2376	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	34
PID 2916 wrote to memory of 2376	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	34
PID 2916 wrote to memory of 2376	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	34
PID 2916 wrote to memory of 2376	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	34
PID 2916 wrote to memory of 2044	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	35
PID 2916 wrote to memory of 2044	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	35
PID 2916 wrote to memory of 2044	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	35
PID 2916 wrote to memory of 2044	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	35
PID 2916 wrote to memory of 1760	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	36
PID 2916 wrote to memory of 1760	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	36
PID 2916 wrote to memory of 1760	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	36
PID 2916 wrote to memory of 1760	2916	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe	36

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe

C:\Users\Admin\AppData\Local\Temp\3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
"C:\Users\Admin\AppData\Local\Temp\3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2916
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2600
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2248
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:612
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1696
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2376
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2044
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
687e2f606b4d4112f06ea04ebfedd095

SHA1
743c41dc269f20d0833a30d1271d6aa76f7af87c

SHA256
49e270ec05b03afbac8653b8c985bc699ca4b41d20198596962398d01ee445b3

SHA512
e2d184fd6f057d8352bfa2cb76d073d9b5f93eb830288e4156879ad31dffa9bdbd391e7f9434236d6edf80d82c684918509db8c764c5fed2d758f7349ea1b32d

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
c03138918027d2c28e7eeb956167e880

SHA1
a2b19416582fd4409b8b824993f1684b0112feba

SHA256
3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406

SHA512
adb5dd9636079f8cec7ab3546585d39e12ac3d929478a8e9a1eb7023f46b6e933054ab63b9e5ea4d86f96970d176eb023d0d35b1a7b7a3bc51bb9b1683d76c1a

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
3317ab777430021f2f03ecc093cd64fc

SHA1
1245aabc001f67c99d0674b59fa6398b73648ba5

SHA256
24ab41cc6710daeedb8bea3b4807f01089053a0e1eb00b102b52e868f6c52c53

SHA512
b0b250b188730c8a40ab773b3322ea506e1cbee31de0cdbba4a02f1adcb92de75a89553b5e688fb08647e3d2a5d85946eea0dc441763a2db4520e1e9891be417

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
ea7c9adb7c356216ef0e34c833a7fe61

SHA1
b105a58b575405726bacff2f8aa73d055768c60f

SHA256
e5abf3ae80c916d579621b3f2cdd2c8ecbb6859252e5617344d00151a4ffce52

SHA512
fed77250b087d2e22da72596546c49c182928579b4a8d0f9bc222f8e838720422bf879cb5a97b8f5bcc42abf686b1ee3098db72ec0790f47bf1f85a258d2fb1b

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
2627bf7db949c6d425b112543de12e7d

SHA1
2ca1a773a55ed382ed11113b565733241ea9dfce

SHA256
02dd11835099d92dca79bf14e049568e382ba154598d02eb3dde5e617a8317ef

SHA512
4c2985cb0c9267b8bb618bbb9286eb79932c5f9d0a9b27f4a7da8e68c6d629cbe568e7487d297b0598f23ff9b81140e31738640f32a984fe652be797ac9c70d5

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
d025fb466f87e722376ae23066882a24

SHA1
eb813079ce4667d6e376602aeca2e1ac16804d30

SHA256
2d65917b94fa76e735d895def2be71b2673622897078e459d1da0499c874e7b2

SHA512
15ebc51fa468466f82aaaaec14623e8cf544833bf30a92754b3030d65350c91827b75d667defedd2aa5f889f16b9644c3b8def00a041caa25e048c38a42ea701

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
2c628d6c20e33eb25a4fb2e05abbd9c0

SHA1
7fc1cd7a623e3e9bb3981285ef5199d9c5b2f8ed

SHA256
e3b8fd36149a396b902104ead98a94c68e76faba4751a728506a079b436a4969

SHA512
7e39bd9eacc6a9eb819ec4417b23588e75cbe9521d01eb81f36baf148161b191ba008405adf56c1f33993b83ddcfe6f910855c9d52500a32d920f6c72c59bfad

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
33b319195022d7f51e2523189bcde044

SHA1
b292d3f6b27306f0ce84248b8326fd228b34368f

SHA256
4eeb0527c554103c89a1ac678347975f0591ae7f8997e850c6382e88ed6821e1

SHA512
fc51d70b18b0df1257c0942589810307b26dd88f0102843027e0b0d0ead2c60fc560962cf1fc78bb5212b84c4230152d9be93a7171445b566eb31c98bad1e370

Download Submit
memory/612-149-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/612-154-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/612-153-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1696-162-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1696-167-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1760-203-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1760-211-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2044-194-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2044-189-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2248-134-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2248-138-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2248-132-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2376-180-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2376-176-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2376-181-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2600-119-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2600-123-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2600-116-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2600-117-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2916-114-0x00000000026A0000-0x00000000026CC000-memory.dmp

Filesize
176KB

Download
memory/2916-115-0x00000000026A0000-0x00000000026CC000-memory.dmp

Filesize
176KB

Download
memory/2916-174-0x00000000026A0000-0x00000000026CC000-memory.dmp

Filesize
176KB

Download
memory/2916-141-0x00000000026A0000-0x00000000026CC000-memory.dmp

Filesize
176KB

Download
memory/2916-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2916-148-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2916-147-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2916-131-0x00000000026A0000-0x00000000026CC000-memory.dmp

Filesize
176KB

Download
memory/2916-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2916-202-0x00000000026A0000-0x00000000026CC000-memory.dmp

Filesize
176KB

Download
memory/2916-3-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2916-4-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2916-208-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2916-209-0x0000000000401000-0x0000000000427000-memory.dmp

Filesize
152KB

Download
memory/2916-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download