4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
Size

313KB
MD5

ca04727958d7489a8af766ee1ac6f7c0
SHA1

857727adc78102e0f077933b56694965bddac65f
SHA256

4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559
SHA512

1dbcc435b17ad9a69cabbbc4a47935a92c25921005d47313aae6ffb38388aaf49f70763570310a0d40b2079f8c6278e8b6a172bbaf8872ff6d90e7ec8f8aa9c6
SSDEEP

6144:4eHwXUU5EYCTvaBjDjWrLJKuKnGML5Njcxd:4yMUusvalag5Njad

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\YHN8O2C\\KCJ2S8C.exe\""	system.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\YHN8O2C\\regedit.cmd"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe

Executes dropped EXE 5 IoCs

pid	Process
2524	service.exe
2792	smss.exe
2540	system.exe
2520	winlogon.exe
1432	lsass.exe

Loads dropped DLL 8 IoCs

pid	Process
780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e00000001866e-125.dat	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\sHN2X5G0 = "C:\\Windows\\system32\\MHG8N4IHMV5Q6P.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0S8CMV = "C:\\Windows\\DGQ2X5G.exe"	system.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\Y:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\V:	service.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ETV3Y4K	smss.exe
File opened for modification	C:\Windows\SysWOW64\RQT2C1M.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\ETV3Y4K\MHG8N4I.cmd	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\RQT2C1M.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\RQT2C1M.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\MHG8N4IHMV5Q6P.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\ETV3Y4K	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\ETV3Y4K	system.exe
File opened for modification	C:\Windows\SysWOW64\ETV3Y4K\MHG8N4I.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\MHG8N4IHMV5Q6P.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\ETV3Y4K\MHG8N4I.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\MHG8N4IHMV5Q6P.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
File opened for modification	C:\Windows\SysWOW64\ETV3Y4K	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\MHG8N4IHMV5Q6P.exe	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
File opened for modification	C:\Windows\SysWOW64\ETV3Y4K\MHG8N4I.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\ETV3Y4K\MHG8N4I.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\RQT2C1M.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\ETV3Y4K	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
File opened for modification	C:\Windows\SysWOW64\ETV3Y4K	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\MHG8N4IHMV5Q6P.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\RQT2C1M.exe	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\RQT2C1M.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\MHG8N4IHMV5Q6P.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
File opened for modification	C:\Windows\SysWOW64\ETV3Y4K\MHG8N4I.cmd	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\lsass.exe	smss.exe
File opened for modification	C:\Windows\DGQ2X5G.exe	smss.exe
File opened for modification	C:\Windows\YHN8O2C\WCW2C0T.com	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
File opened for modification	C:\Windows\YHN8O2C\winlogon.exe	service.exe
File opened for modification	C:\Windows\YHN8O2C\KCJ2S8C.exe	winlogon.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\cypreg.dll	system.exe
File opened for modification	C:\Windows\YHN8O2C\regedit.cmd	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
File opened for modification	C:\Windows\YHN8O2C\service.exe	service.exe
File opened for modification	C:\Windows\YHN8O2C\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	system.exe
File opened for modification	C:\Windows\YHN8O2C	winlogon.exe
File opened for modification	C:\Windows\YHN8O2C\system.exe	winlogon.exe
File opened for modification	C:\Windows\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\YHN8O2C\WCW2C0T.com	system.exe
File opened for modification	C:\Windows\HMV5Q6P.exe	winlogon.exe
File opened for modification	C:\Windows\YHN8O2C\WCW2C0T.com	winlogon.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	smss.exe
File opened for modification	C:\Windows\moonlight.dll	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
File opened for modification	C:\Windows\HMV5Q6P.exe	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
File opened for modification	C:\Windows\moonlight.dll	service.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\YHN8O2C	lsass.exe
File opened for modification	C:\Windows\YHN8O2C\service.exe	smss.exe
File opened for modification	C:\Windows\YHN8O2C\winlogon.exe	smss.exe
File opened for modification	C:\Windows\YHN8O2C\KCJ2S8C.exe	smss.exe
File created	C:\Windows\MooNlight.txt	smss.exe
File opened for modification	C:\Windows\YHN8O2C\smss.exe	winlogon.exe
File opened for modification	C:\Windows\YHN8O2C\system.exe	lsass.exe
File opened for modification	C:\Windows\HMV5Q6P.exe	lsass.exe
File opened for modification	C:\Windows\YHN8O2C\smss.exe	service.exe
File opened for modification	C:\Windows\DGQ2X5G.exe	service.exe
File opened for modification	C:\Windows\YHN8O2C\WCW2C0T.com	service.exe
File opened for modification	C:\Windows\YHN8O2C\service.exe	winlogon.exe
File opened for modification	C:\Windows\DGQ2X5G.exe	system.exe
File opened for modification	C:\Windows\DGQ2X5G.exe	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
File opened for modification	C:\Windows\YHN8O2C	service.exe
File opened for modification	C:\Windows\cypreg.dll	smss.exe
File opened for modification	C:\Windows\YHN8O2C\system.exe	smss.exe
File opened for modification	C:\Windows\cypreg.dll	lsass.exe
File opened for modification	C:\Windows\YHN8O2C\service.exe	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
File opened for modification	C:\Windows\lsass.exe	service.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	winlogon.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	lsass.exe
File opened for modification	C:\Windows\YHN8O2C\WCW2C0T.com	lsass.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	service.exe
File opened for modification	C:\Windows\YHN8O2C\service.exe	system.exe
File opened for modification	C:\Windows\YHN8O2C\smss.exe	smss.exe
File opened for modification	C:\Windows\YHN8O2C\smss.exe	system.exe
File opened for modification	C:\Windows\YHN8O2C\regedit.cmd	winlogon.exe
File opened for modification	C:\Windows\YHN8O2C\regedit.cmd	system.exe
File opened for modification	C:\Windows\YHN8O2C\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\YHN8O2C\MYpIC.zip	system.exe
File opened for modification	C:\Windows\cypreg.dll	service.exe
File opened for modification	C:\Windows\HMV5Q6P.exe	service.exe
File opened for modification	C:\Windows\HMV5Q6P.exe	system.exe
File opened for modification	C:\Windows\DGQ2X5G.exe	lsass.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\moonlight.dll	lsass.exe
File opened for modification	C:\Windows\YHN8O2C\KCJ2S8C.exe	system.exe
File opened for modification	C:\Windows\lsass.exe	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
2524	service.exe
2520	winlogon.exe
2792	smss.exe
2540	system.exe
1432	lsass.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 2524	780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe	31
PID 780 wrote to memory of 2524	780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe	31
PID 780 wrote to memory of 2524	780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe	31
PID 780 wrote to memory of 2524	780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe	31
PID 780 wrote to memory of 2792	780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe	32
PID 780 wrote to memory of 2792	780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe	32
PID 780 wrote to memory of 2792	780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe	32
PID 780 wrote to memory of 2792	780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe	32
PID 780 wrote to memory of 2540	780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe	33
PID 780 wrote to memory of 2540	780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe	33
PID 780 wrote to memory of 2540	780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe	33
PID 780 wrote to memory of 2540	780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe	33
PID 780 wrote to memory of 2520	780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe	34
PID 780 wrote to memory of 2520	780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe	34
PID 780 wrote to memory of 2520	780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe	34
PID 780 wrote to memory of 2520	780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe	34
PID 780 wrote to memory of 1432	780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe	35
PID 780 wrote to memory of 1432	780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe	35
PID 780 wrote to memory of 1432	780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe	35
PID 780 wrote to memory of 1432	780	4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe	35

C:\Users\Admin\AppData\Local\Temp\4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe
"C:\Users\Admin\AppData\Local\Temp\4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:780
- C:\Windows\YHN8O2C\service.exe
  "C:\Windows\YHN8O2C\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2524
- C:\Windows\YHN8O2C\smss.exe
  "C:\Windows\YHN8O2C\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2792
- C:\Windows\YHN8O2C\system.exe
  "C:\Windows\YHN8O2C\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2540
- C:\Windows\YHN8O2C\winlogon.exe
  "C:\Windows\YHN8O2C\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2520
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DGQ2X5G.exe

Filesize
313KB

MD5
1d2764161349a841f0f2e1a20febe2f3

SHA1
9fdc974eb1aa087bfa960550989a50f9c649da56

SHA256
ad0527554b21e14bad91823ffe1f224446127277778ae7001967551a7b5ba820

SHA512
720bd7c3cc3ed4d288470420698cb1f4aadc2b6dd8c600ae82e66f4dff6005fa14e4b9c42119e8f39d30914359ca0cfe02a075b0880919b07ed37617b62a3a51

Download Submit
C:\Windows\DGQ2X5G.exe

Filesize
313KB

MD5
c03e920e7c617e58efc7f69a252f50c8

SHA1
23834d0b347999f8eb0211145cbe928f849eb7c2

SHA256
3962fd056a28e5980bb06496adf39048dc7bb890610349061b029578cfebf770

SHA512
08e74afaae2495b10e62a6053531dcdb6cdc0df7112d02fd9db8d478ec9d2ed44f911d9c838b105c7b50075d738df98d4f0431e1e37abbe8ee3247d35649390a

Download Submit
C:\Windows\HMV5Q6P.exe

Filesize
313KB

MD5
c687e81c1a4d86c63482c45d40c5c7a9

SHA1
f6020f77bef83f316fac578a95ccec523ceb3bf3

SHA256
63743abbd8f0917c99c0a90f556df03c4b5454bfc9980284a2f7b165fd17d52c

SHA512
da5d5a392b7456fec3b939952100f8ba727b137d8fd9a99f9f5e7fc8fea7bf177cea146a8f7f7ecd7b244d6f2a2ba64b72b94cea8219d070c235c4cf43b01d14

Download Submit
C:\Windows\SysWOW64\MHG8N4IHMV5Q6P.exe

Filesize
313KB

MD5
5736f6e79603022eeb33f931d484a568

SHA1
1a23df72297e6ad106c2cd2107d86f1f772d74ad

SHA256
ad059130689292342cc8d581c95db0f5c4342de7046ecac2a01f922197b804af

SHA512
aefa6e3aa8f3a36eebf24f777ecfd3b8cfc547823c83ab458817b8cde5870b746113747db1483bc3766f201e4c51ec52e3ec32ed821a4f418a6d80d290d89a78

Download Submit
C:\Windows\SysWOW64\MHG8N4IHMV5Q6P.exe

Filesize
313KB

MD5
2124f10b0048107bdcda3105479bd063

SHA1
300f3c758ed84a767384dedb9f8e828c8d606d29

SHA256
86ff5075ac97b983006c4b8a3b26d4301e2fbca72604ad348f9d36eb7b018e71

SHA512
40aef1118fa8ab901d871b0e81ddae59c819f53c64086d0ffb64f8f7b48509d5e02b24e8f324774f052be689a8c6b5757406e582df7b8c9337d254f62c242d78

Download Submit
C:\Windows\SysWOW64\MHG8N4IHMV5Q6P.exe

Filesize
313KB

MD5
7a97aaa365dbaaa2607d5e41a98bc752

SHA1
ee2906e3dc8289397cdf3e6bbe641d232c957fac

SHA256
166bb2da65f2f6a98df0cc153817688500e63aef5ef4f683e73dbe078a1fde3b

SHA512
621c4903dcc5e79682dd8f8857d187a49905f38eab2a5b10a6063bd2808d45bb61cc55e95a9558021398b943105f6c9b7867924f83927bd18435440bb8c0fce9

Download Submit
C:\Windows\SysWOW64\RQT2C1M.exe

Filesize
313KB

MD5
d4f0bdff4b15c00adc88a9906f14709b

SHA1
5cb90733514e0abeb65212ee5514511c13b60933

SHA256
ef5d728d6c015360ef78b560ca519985db1a88cda59aaf3b3e59be0c86fa9ee0

SHA512
e1f6ed14ad68c012ce4ea61c14cd3b6983f1cc11d4acf333f7e673fae11b64fc17fb53608f1bb740731edd62464eea95e2d331ce35917a24fe9a17749743addb

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
32759c5bf62a0cd05067eb7884071da7

SHA1
911c1919f63b8c401f2ccc4205f618b0ad40e6e6

SHA256
bd1c76979dd76d6e18d4b411fc97c597d5ebbdd62899440967d00a79e40acaab

SHA512
4ae0d35708f6af9ff28645a5670c1deede840de1e91283fc361eb29aa2eb93ccff98ab1301b381e7506a14546c7df0bf2dff2c4aeac1df8b7beca9da0af51d75

Download Submit
C:\Windows\YHN8O2C\KCJ2S8C.exe

Filesize
313KB

MD5
6f847909b4190aa8fd97fcb36eb3b5ab

SHA1
14e239371a12778fdcb5848adcc49eff3ff5f1df

SHA256
952e2a0f6a212e719545f7eb6ca81dddc775bd77dc40a68ba803e94335a3a000

SHA512
69e98cf9777854228494c9d9e9507ad9ff7adda63d216083d23be78032d0ed344552eb99ed8a56559646503e4139124d32bdc302ed889013d65f1433bb578fde

Download Submit
C:\Windows\YHN8O2C\WCW2C0T.com

Filesize
313KB

MD5
5aeb814a0a5872d25ec44c6472513128

SHA1
0ab6da59d787eaa41df4ff87a8f5114a35637f10

SHA256
768bf12cea6c4ff88028304f671bf2b8a4845d765f2147c5a35b952267eda016

SHA512
8b8e83c1dd9a80b63702cdbfa8fd9c2a491cf91abba4f74218312b721bdda1cdd77eb86750d0bcd649d7e7ed0f55a45fe737e70475634a0f18bf2d252eb4c2df

Download Submit
C:\Windows\YHN8O2C\WCW2C0T.com

Filesize
313KB

MD5
80de6702569733b5fb096b4780ee66dc

SHA1
2dc0b70cdd40df7e90de198be1c87ef0bc6ccac8

SHA256
36879bcad5844fa78bb731c4c2858695022769d10b1b9df534f8d790a2d762f5

SHA512
25ad89e0129c8218aedeed9efac4b77b6190630070d0339d23b846ae9bd027b9cf5217df6e2c5dde98aeb24417eb68547d10033f6c415aaae6e7a3da91fe903d

Download Submit
C:\Windows\YHN8O2C\regedit.cmd

Filesize
313KB

MD5
670f599fd12c165776985259b5e633a3

SHA1
b5e5ba1dbf8662c78db72f115b4dac0c508c3a37

SHA256
b604dbec3375eea6f1dac4e2323dfc70ff85d07c248cecdead3433c07b99f8c8

SHA512
c3bce146df37cc627dc08af757cea2967c47a83833490fd5b876656adb4294969a77858b0cc24ed8ac0a68760ba4949655d6c94d15d8ea507f8efecd10dfc2b4

Download Submit
C:\Windows\YHN8O2C\regedit.cmd

Filesize
313KB

MD5
85b15dd8bd3f80be37236ea605efa275

SHA1
2c2847a17e74cd722fd24217b567eebf8c723042

SHA256
73e74e14cee02d3697f0dbf55477237c88e9e3387f297d41fadcb9bd460e8896

SHA512
d7403fae972139838e132beb7ef4d14ca8f3f99493363ef344b446ffdc3e8883606c8ea1a5100629388a410d017fafe8533d9dbca7b11de26b74febf637f6dcd

Download Submit
C:\Windows\YHN8O2C\service.exe

Filesize
313KB

MD5
ca04727958d7489a8af766ee1ac6f7c0

SHA1
857727adc78102e0f077933b56694965bddac65f

SHA256
4cbfb67f5d5d9a526130ce63d9fb96c783899f42b11f11b1ec983dec8c3da559

SHA512
1dbcc435b17ad9a69cabbbc4a47935a92c25921005d47313aae6ffb38388aaf49f70763570310a0d40b2079f8c6278e8b6a172bbaf8872ff6d90e7ec8f8aa9c6

Download Submit
C:\Windows\YHN8O2C\smss.exe

Filesize
313KB

MD5
206b6bd413c76197aac546c61da47df3

SHA1
ad63805b2d3fe38f02b19a532d8a4a16c22fd441

SHA256
7194144767d12b4f2a945920aaef0e2bc502baa140b035adf37f49ee1f57da4e

SHA512
6d652aab043ab6d84139f801b17771b057cae9f7a865d917a6a55614d894ae2fe1646073c542e8ed4d6ef9ec8ea7380a86735e20376215851cde16ebc8ce4fac

Download Submit
C:\Windows\YHN8O2C\system.exe

Filesize
313KB

MD5
529dcf0bbc9f672c6b98b37b166917a7

SHA1
e1791f8149ff70e59e43b73eeabae5d4790ad234

SHA256
49b4dab19b1ad107685ed11770415a53ce6faf63dc0ea1e46bb4b2f5a5a6a198

SHA512
7adbee55bb3c8a82665861f918a5523e2556f1e759cb56723eaa651b0bfd933505b30da461eeed2122f0196144de836cc753f2638dc65a197528e9af17029c12

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
c4b8a8c69c01cb54185f2b9b00389020

SHA1
0bf59a8c0c08b2d0aea013670e796dfb3d44deff

SHA256
5a4ce5403b4725c5e9ed26e43d861967c26f0de0b57eebf1812cc729c2dc48f7

SHA512
4ee088d3acca98e2263ef7cec96d29461025f297a026f9fe30b5759a2c7b4abceb11ebc9e8b30ccb876b9bedd66bc692b4a33aefa933b5a8951c5a4837e5cd28

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
61460234f4fa2ee35c4407a3899ba274

SHA1
64a10d11b97e2d709a61ea438e32af85b38df979

SHA256
7185631843addf5e5c6a1f9becf1e74bfe8f34d6f1d88acf90b7d921d1d3e580

SHA512
a37a1db0e2635ee46d6ec3b46b0d3deda3f3e56c24779a98b92c689a7e5209783f755bd4cd9a49443200174111ed90b7a8b802304dc54ef073338d1fc1907ca4

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
8e6e31f8df128a746ff9a3a38f8f78c0

SHA1
e4da9aa336eb7e254592e585b29d8b4e23f3e4bd

SHA256
dc33796b634ea14ed80a492257f698d103a57e1a041ccab92945efa8201a65f7

SHA512
eddacadcb86d8ead42185af5ce779f35dcbf262b2e12dc1cb816c3c5e35563201a839b861eb4a2cda472a5a27b2dfb76a0310d6eb94b49e9d5b58af869ef22c6

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.3MB

MD5
46b965cd41e27870e027040d858d9dbc

SHA1
a0abba4c006f43e3d2db8cfcfc73b37433f6beeb

SHA256
6a532c72ef13f2bf27592051ddb9e834af475c2aa452ac127f075b9b793d9ca3

SHA512
ce8077df1b4c3c9db720afd41cadaf62a5b36a4d9fd327491025ff7dd8660c060ee55bb3b08b909e4a17f2e06abe862c43fe1c869be674bd59f23b263bb3fe23

Download Submit
\Windows\YHN8O2C\winlogon.exe

Filesize
313KB

MD5
75c900be5ba0155f41f43e7cc802cdc5

SHA1
dd62107b058a5ffb09e647375a3f7ad2de374edc

SHA256
fcff8a8a16755b48c084736c6587c0ff73e91755af22318c7c9c598c4cbf421d

SHA512
71a6c71fa67e52c62829ebe7627f4bcb17d042ed49e8816bef711dd29d703da8803cc1e85e4f5022eecfd06d77cd9276ac473af28249e57745f8145b7557a4fb

Download Submit
memory/780-0-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/780-47-0x00000000026F0000-0x0000000002700000-memory.dmp

Filesize
64KB

Download
memory/780-73-0x00000000033E0000-0x000000000343D000-memory.dmp

Filesize
372KB

Download
memory/780-166-0x0000000003D90000-0x0000000003DED000-memory.dmp

Filesize
372KB

Download
memory/780-209-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/780-75-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/780-85-0x00000000033E0000-0x000000000343D000-memory.dmp

Filesize
372KB

Download
memory/780-80-0x00000000026F0000-0x0000000002700000-memory.dmp

Filesize
64KB

Download
memory/780-55-0x00000000033E0000-0x000000000343D000-memory.dmp

Filesize
372KB

Download
memory/1432-238-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1432-228-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2520-234-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2520-121-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2524-165-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2540-233-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2540-241-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2540-240-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2540-239-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2540-242-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2540-243-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2540-244-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2792-229-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2792-65-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads