757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278be

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
Size

347KB
MD5

889ce0232dcca264fc7357f0428bc2b0
SHA1

8417625f2d111b6f67be17624ec9d8d682383845
SHA256

757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278be
SHA512

31aac782312ebf21ef21f59966b0c23112df3982cc97ed652a68751c370316099489e8524ea9ab96b435b54fc9b143965c3e8321a24dd0a403154eea3326daf4
SSDEEP

6144:UY+32WWluqvHpVmXWEjFJRWci+WUd20rUU5EYCTvaBju4U:/nWwvHpVmXpjJIUd2cUusvalxU

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\\DSY8L5S.exe\""	system.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd"	system.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000017236-126.dat	acprotect

Executes dropped EXE 4 IoCs

pid	Process
2680	service.exe
2540	smss.exe
2344	system.exe
3004	lsass.exe

Loads dropped DLL 6 IoCs

pid	Process
3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000017236-126.dat	upx
behavioral1/memory/2344-241-0x0000000010000000-0x0000000010075000-memory.dmp	upx
behavioral1/memory/2344-257-0x0000000010000000-0x0000000010075000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\sSY0Q2W0 = "C:\\Windows\\system32\\FXV5F1YYGP3L3J.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0L5SGP = "C:\\Windows\\TVI0Q2W.exe"	system.exe

Drops desktop.ini file(s) 28 IoCs

description	ioc	Process
File created	\??\UNC\WOUOSVRD\I$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\H$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\L$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\N$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\W$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\B$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\P$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\S$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\O$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\E$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\K$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\Q$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\U$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\V$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\Z$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\A$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\R$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\T$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\Y$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\ADMIN$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\J$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\X$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\C$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\D$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\F$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\G$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\M$\desktop.ini	lsass.exe
File created	\??\UNC\WOUOSVRD\desktop.ini	lsass.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\V:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\Y:	service.exe
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\G:	service.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\KJM8S7F.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\FXV5F1YYGP3L3J.exe	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\FXV5F1YYGP3L3J.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\UMN0R1D\FXV5F1Y.cmd	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\UMN0R1D	service.exe
File opened for modification	C:\Windows\SysWOW64\UMN0R1D	smss.exe
File opened for modification	C:\Windows\SysWOW64\UMN0R1D\FXV5F1Y.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\KJM8S7F.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\FXV5F1YYGP3L3J.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\UMN0R1D	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
File opened for modification	C:\Windows\SysWOW64\UMN0R1D\FXV5F1Y.cmd	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
File opened for modification	C:\Windows\SysWOW64\FXV5F1YYGP3L3J.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\UMN0R1D	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\KJM8S7F.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
File opened for modification	C:\Windows\SysWOW64\KJM8S7F.exe	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
File opened for modification	C:\Windows\SysWOW64\UMN0R1D	system.exe
File opened for modification	C:\Windows\SysWOW64\UMN0R1D\FXV5F1Y.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\KJM8S7F.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\FXV5F1YYGP3L3J.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
File opened for modification	C:\Windows\SysWOW64\UMN0R1D	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
File opened for modification	C:\Windows\SysWOW64\UMN0R1D\FXV5F1Y.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\UMN0R1D\FXV5F1Y.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\KJM8S7F.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\FXV5F1YYGP3L3J.exe	smss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}	smss.exe
File opened for modification	C:\Windows\TVI0Q2W.exe	smss.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}	system.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	system.exe
File opened for modification	C:\Windows\TVI0Q2W.exe	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
File opened for modification	C:\Windows\cypreg.dll	service.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	system.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	lsass.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	system.exe
File opened for modification	C:\Windows\moonlight.dll	winlogon.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	smss.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	winlogon.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
File opened for modification	C:\Windows\YGP3L3J.exe	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	service.exe
File opened for modification	C:\Windows\cypreg.dll	system.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	lsass.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	lsass.exe
File created	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip	system.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	system.exe
File opened for modification	C:\Windows\cypreg.dll	smss.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	winlogon.exe
File created	C:\Windows\MooNlight.R.txt	smss.exe
File opened for modification	C:\Windows\moonlight.dll	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
File opened for modification	C:\Windows\lsass.exe	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
File opened for modification	C:\Windows\moonlight.dll	service.exe
File opened for modification	C:\Windows\TVI0Q2W.exe	service.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	smss.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	smss.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\PSO8S6L.com	system.exe
File opened for modification	C:\Windows\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\PSO8S6L.com	winlogon.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\DSY8L5S.exe	winlogon.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	lsass.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	service.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	smss.exe
File opened for modification	C:\Windows\YGP3L3J.exe	system.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	winlogon.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\DSY8L5S.exe	system.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\cypreg.dll	winlogon.exe
File opened for modification	C:\Windows\cypreg.dll	lsass.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
File opened for modification	C:\Windows\lsass.exe	service.exe
File opened for modification	C:\Windows\lsass.exe	system.exe
File opened for modification	C:\Windows\TVI0Q2W.exe	lsass.exe
File opened for modification	C:\Windows\YGP3L3J.exe	lsass.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	service.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	winlogon.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	lsass.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\PSO8S6L.com	lsass.exe
File opened for modification	C:\Windows\cypreg.dll	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\PSO8S6L.com	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	service.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	service.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	winlogon.exe
File opened for modification	C:\Windows\TVI0Q2W.exe	winlogon.exe
File opened for modification	C:\Windows\YGP3L3J.exe	winlogon.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	system.exe
File opened for modification	C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	2344	system.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
2680	service.exe
2540	smss.exe
2344	system.exe
2836	winlogon.exe
3004	lsass.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2680	3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe	30
PID 3012 wrote to memory of 2680	3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe	30
PID 3012 wrote to memory of 2680	3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe	30
PID 3012 wrote to memory of 2680	3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe	30
PID 3012 wrote to memory of 2540	3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe	31
PID 3012 wrote to memory of 2540	3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe	31
PID 3012 wrote to memory of 2540	3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe	31
PID 3012 wrote to memory of 2540	3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe	31
PID 3012 wrote to memory of 2344	3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe	32
PID 3012 wrote to memory of 2344	3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe	32
PID 3012 wrote to memory of 2344	3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe	32
PID 3012 wrote to memory of 2344	3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe	32
PID 3012 wrote to memory of 2836	3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe	33
PID 3012 wrote to memory of 2836	3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe	33
PID 3012 wrote to memory of 2836	3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe	33
PID 3012 wrote to memory of 2836	3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe	33
PID 3012 wrote to memory of 3004	3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe	34
PID 3012 wrote to memory of 3004	3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe	34
PID 3012 wrote to memory of 3004	3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe	34
PID 3012 wrote to memory of 3004	3012	757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe	34

C:\Users\Admin\AppData\Local\Temp\757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe
"C:\Users\Admin\AppData\Local\Temp\757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278beN.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
  "C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2680
- C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
  "C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2540
- C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
  "C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2344
- C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
  "C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2836
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\PSO8S6L.com

Filesize
347KB

MD5
aa5c92a9774d4200d40bb0bcfb470f6a

SHA1
6d58cf0b0e700970da8d5d39a989ee4f34a15b0c

SHA256
f94b4f725e056a8293d384f414b7915997dc0e7ad196a9a9532bc315e1e1419b

SHA512
a9495307e70c0fdc64df5e74605f464086a62569555f7382ff8d4414dc05d190c2485475765e26190a328016196933668ea339f16944d67c75c3d271228e4441

Download Submit
C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\PSO8S6L.com

Filesize
347KB

MD5
359bf3eb5c59cd00711bc57d572ef001

SHA1
1c0d708f261380f84057bdfd63dd29ce26a90069

SHA256
b9fda9e98af047ce549fd6a5498ada74b45313fa98d5d0aa8431bdb13367510f

SHA512
8b2493ded5c935bd53fbfc878c707316ef3c7bf94d3ad6cd3221ddfcc62b8413a4cb85614431acf2736aecb5a28ea4900f074132e67dbd11fff2102b492b1a08

Download Submit
C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\PSO8S6L.com

Filesize
347KB

MD5
ae5e98b2642fc921a584dd0d135c816c

SHA1
e2654478733ee30b7f66c9e31fc7b181e686af44

SHA256
7edb6d07aa1bbc4afcbcd700b1afffd5658b74ea952940e554be63fa8b404fb9

SHA512
0917d079295399476e04b75eb5046832255c96d6aad04259b752e6e9bc4a651b32d458b04f6d1994f2605e9a45ff792f374d5f1de03607289f9d1e5afe77b580

Download Submit
C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\PSO8S6L.com

Filesize
347KB

MD5
94ab3d14ca64ec5ebc0c155cc78ca596

SHA1
806866798b51453135cad3d5bf0051a33dd233c6

SHA256
00723bdc20b4eada77cad09845c0d2917a1222c01747a7b5285e6e03dfefb8de

SHA512
8868253ae1ae5eee2e3d28dc937cda13868b5a92215e8841fe8df7fdec2f8feff8886ee1c95f3d830b3b40e446b265ad19a113e2ac15bb2b0fec342b7a827444

Download Submit
C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd

Filesize
347KB

MD5
15edca481136080fed6455654181f44a

SHA1
47cb5c0685c4d87856c7b161e5b7980e0608d9ba

SHA256
986034f05d56ce6502d17860809cee0e24fc888bd76c55ec6b12001cfe769414

SHA512
02960e4ce8521f617096643bc75f2fcd53f206f62edafaa16178d2b302bcbf02562b061850f398caa8b10190b206a60af612629ccfffb569082d33296f668697

Download Submit
C:\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe

Filesize
347KB

MD5
7258d9f813de716ca6472ca34e4fb954

SHA1
fe37a2a426db7ec05ae06dac418d90704ddd4e65

SHA256
a866dcb7f4901e8575f548ea8e2fd4b7807faad09f12f4eb30f693d926aa020f

SHA512
5b83466a88effb8298135dc735ab0d71a477df7153ddae0acae3d191f08469cb282918667eb175520668742a3ab3a32958f1668ba62bbb05e6501d7b39e8c170

Download Submit
C:\Windows\SysWOW64\FXV5F1YYGP3L3J.exe

Filesize
347KB

MD5
8fcf97c1f25d5274b73167b10c106466

SHA1
f936f0447b940421421a4beb1b47f95c30071494

SHA256
89152bd96f840ff8c6b273a60bdfc8338476aba9c82b5e7de1e23575fd3abc71

SHA512
ec34d8512b407d05e1398f16cf6b3328c8140fdf78fc6138b578a70d59b35adff4f6a35ce0bfdc2f3207a91ce4e3ad1724f860e3c05d78d0b968332cc61c4b4c

Download Submit
C:\Windows\SysWOW64\KJM8S7F.exe

Filesize
347KB

MD5
c720cbca37f24381eb7ea4d7a65f7c34

SHA1
04127eff5f9328b55ddeeb124bb9825220c49c4d

SHA256
202756f7a886f84c778167bf23b075c8976f4a45ace83fe28a29d372aea25fe7

SHA512
7823a15047096e1d3c1614a86a93ad08ee9283661e984ec01cdc56de47fc9615995855d8da0fc9342f9b12caca1293ecc37101a6dc8395672d232c01e2df162b

Download Submit
C:\Windows\SysWOW64\KJM8S7F.exe

Filesize
347KB

MD5
ed8b792b1e1b9de95060dc9b00e845ad

SHA1
2181435faff1d3913b1fdc48286064c8196ce2af

SHA256
ba9b4d6cd224f247776521b1f6aa5cae7da685cd9780087b40a072489b486bba

SHA512
a61d6b80fb3517209099d108ae46fe580d3d656ca75ee84aa57fccfeae7ce5976033246540e0cc5cadf7b8a6d5d01ed71030b6b8f704657fa08e44e21d0bc307

Download Submit
C:\Windows\SysWOW64\KJM8S7F.exe

Filesize
347KB

MD5
d75824cc54488e1443827440c8078f0b

SHA1
1d80d51ef07c1ca1b1b5c412cfa72e18fa9730ca

SHA256
85b3bd1639b2281db3e8f10fb4e8fcd695f6862d504fe4b9b76297d03d6822f6

SHA512
73924bffdb2060a118db53609161b7891fa3c0d2d4a8a21c8b795258e47c1a7893bff9e759f7e92b8f8d56d72c8cbe612e566cdbd69b8fe0e540c58f61752563

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
44de5a1c26d0e221c1276ede40f26ad7

SHA1
53e46dba2c5186ca67e3a53cff83c3a7c7420cac

SHA256
fcba0b962eae102c03a24845865d1d697ddbefef668a49063d189a2237b1d127

SHA512
6099ce15dd3fd055ffb1b323893438b9e68903b9523114f8a09d9ccb5b76a8a8763bc82c46aa31ee6d71a218ddfd0bc6575cfcda143ead29c4e7242d75a9d102

Download Submit
C:\Windows\TVI0Q2W.exe

Filesize
347KB

MD5
9e9e6ee4404f503eb4f74e2720c59edc

SHA1
c4f437b93d6b2e7ff66d28a3e12587a143fbca98

SHA256
3ec763ee45ed5347ecb75c12dbc4327140319235f255bac72a151dac27c7b443

SHA512
15f401c5e5df05c2610611cd3227739b20799dfff6cb1d9815e63df9198426faee7f2194be759f7b7030e2efc477cf0c6be4b92fb473b057853f7978d2159c67

Download Submit
C:\Windows\YGP3L3J.exe

Filesize
347KB

MD5
23bb101115c841cefd3f3443dc016993

SHA1
7f4cfb777abe599574fb55cec44409535b97fc8c

SHA256
9c8f5a62bf5ce707dcd7bab2e54ea5fe17fdd85a48096d7889d41dfb0f00f1dd

SHA512
12fbf5ea825e9942f385ff65e6e4cd61ba3051faf687be87bab17624868321467d6b669331106b219fbc6a5df51701786441a29069f45bed378251ac8d090a65

Download Submit
C:\Windows\YGP3L3J.exe

Filesize
347KB

MD5
421dbe2e508b6e9929657f764f26ea38

SHA1
493c56bd9b80c99b114317d18df5b760fa641eb8

SHA256
85639539e236a6cbb0a46a96e55f6b3b6c763b9a3ac4fbf25c86d56254282450

SHA512
f0f8d01aaa99ca0ba88bf69adfbc9186a79506be806b3bb2002e065dbf48bc5190ec05060837f753eb0bc8369971eb79f020668863251f4b24a5530060fbb9d8

Download Submit
C:\Windows\YGP3L3J.exe

Filesize
347KB

MD5
012ed4cf535a6350e6437aff624b8c0d

SHA1
e1f6c0c2ce5b6ca3fa3261f23b35cbe92945999f

SHA256
a69972fe2e8fc16e94ce01238f7b43f84fadcd2bdf0c18ffeaffae8573f10008

SHA512
3caae90ecec9eed99ba586b2a7a7b54cfcdbb740f4693e742b9ec7b1c08bf581cf8b02317afb9c436198030064304cbe0068bafc6257d7bfbac00c5478a33827

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
61460234f4fa2ee35c4407a3899ba274

SHA1
64a10d11b97e2d709a61ea438e32af85b38df979

SHA256
7185631843addf5e5c6a1f9becf1e74bfe8f34d6f1d88acf90b7d921d1d3e580

SHA512
a37a1db0e2635ee46d6ec3b46b0d3deda3f3e56c24779a98b92c689a7e5209783f755bd4cd9a49443200174111ed90b7a8b802304dc54ef073338d1fc1907ca4

Download Submit
C:\Windows\lsass.exe

Filesize
347KB

MD5
ac64cd56c5b6862ab569ecdd88835684

SHA1
4734d45d26b25782aa859771129bb8e58cd32eea

SHA256
78a4bca7b262d2767c3ca2cf1816f663e9bef06b45c1426064ac721ca034ca1d

SHA512
a911f220092f0fde04cf13c853f2ba96c47252ea3e76e111a1775c920a9b3c32c4922cf0dd28ae8a25e67417c141b7d542bebd3ed305da2ee85b0cab75b609eb

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
c55534452c57efa04f4109310f71ccca

SHA1
b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

SHA256
4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

SHA512
ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.3MB

MD5
f124571fa923463365ac2e10fcf5aad0

SHA1
71f1a592a0d2e95a3a33c562607daf4a9135dd0a

SHA256
f4188012b867d68493e2970a7867b5290b19cca051820b18f539f94ae53b68fa

SHA512
e3c51a962d43b0944155413c7b597ef418c064c49c5f59d5ced08a073a33885410d2ac212bdeae8855d1e200e4065f9480bc95563fb37d49b57cdeb60e2b3800

Download Submit
\Windows\NSY4C7N.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

Filesize
347KB

MD5
889ce0232dcca264fc7357f0428bc2b0

SHA1
8417625f2d111b6f67be17624ec9d8d682383845

SHA256
757d363083bdf22b5ebc8f646da24db0abde579635b6200ea5e71f697cb278be

SHA512
31aac782312ebf21ef21f59966b0c23112df3982cc97ed652a68751c370316099489e8524ea9ab96b435b54fc9b143965c3e8321a24dd0a403154eea3326daf4

Download Submit
memory/2344-80-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2344-257-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2344-241-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/2344-234-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2540-216-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2540-69-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2680-202-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2836-238-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2836-277-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2836-271-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2836-263-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2836-261-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2836-239-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3004-204-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3004-254-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3012-56-0x0000000002F40000-0x0000000002F98000-memory.dmp

Filesize
352KB

Download
memory/3012-76-0x0000000002F40000-0x0000000002F98000-memory.dmp

Filesize
352KB

Download
memory/3012-67-0x0000000002F40000-0x0000000002F98000-memory.dmp

Filesize
352KB

Download
memory/3012-50-0x0000000002F40000-0x0000000002F98000-memory.dmp

Filesize
352KB

Download
memory/3012-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3012-47-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/3012-207-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3012-79-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3012-95-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/3012-96-0x0000000002F40000-0x0000000002F98000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads