6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342e

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Size

91KB
MD5

916bbdd3ba6e9f62bf4892472bd554e0
SHA1

486d600a97ac34ff4b80cc296b27adb77c76b45f
SHA256

6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342e
SHA512

d5419c93a76c3ef6283f454a880d83ce880032c14ce58071836b7c93fd222f192c46f59ad92c537f6d850e46a805807d245c0d3e6b25184c0627237f115d6ce9
SSDEEP

1536:XRsjdLaslqdBXvTUL0Hnouy8VjVRsjdLaslqdBXvTUL0Hnouy8VjK:XOJKqsout9VOJKqsout9K

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2592	xk.exe
1780	IExplorer.exe
1668	WINLOGON.EXE
1740	CSRSS.EXE
2296	SERVICES.EXE
1356	LSASS.EXE
892	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2816-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000600000001933e-8.dat	upx
behavioral1/files/0x00080000000193af-110.dat	upx
behavioral1/memory/2592-111-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2592-116-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001a41e-115.dat	upx
behavioral1/files/0x000500000001a477-126.dat	upx
behavioral1/memory/1668-137-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1780-128-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1668-139-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2816-142-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001a478-140.dat	upx
behavioral1/memory/1740-149-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1740-155-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001a486-152.dat	upx
behavioral1/memory/2296-165-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001a48a-166.dat	upx
behavioral1/memory/1356-176-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001a497-177.dat	upx
behavioral1/memory/892-188-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2816-189-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
File created	C:\Windows\SysWOW64\shell.exe	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
File created	C:\Windows\SysWOW64\Mig2.scr	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
File created	C:\Windows\xk.exe	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
2592	xk.exe
1780	IExplorer.exe
1668	WINLOGON.EXE
1740	CSRSS.EXE
2296	SERVICES.EXE
1356	LSASS.EXE
892	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2592	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	31
PID 2816 wrote to memory of 2592	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	31
PID 2816 wrote to memory of 2592	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	31
PID 2816 wrote to memory of 2592	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	31
PID 2816 wrote to memory of 1780	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	32
PID 2816 wrote to memory of 1780	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	32
PID 2816 wrote to memory of 1780	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	32
PID 2816 wrote to memory of 1780	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	32
PID 2816 wrote to memory of 1668	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	33
PID 2816 wrote to memory of 1668	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	33
PID 2816 wrote to memory of 1668	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	33
PID 2816 wrote to memory of 1668	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	33
PID 2816 wrote to memory of 1740	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	34
PID 2816 wrote to memory of 1740	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	34
PID 2816 wrote to memory of 1740	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	34
PID 2816 wrote to memory of 1740	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	34
PID 2816 wrote to memory of 2296	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	35
PID 2816 wrote to memory of 2296	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	35
PID 2816 wrote to memory of 2296	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	35
PID 2816 wrote to memory of 2296	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	35
PID 2816 wrote to memory of 1356	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	36
PID 2816 wrote to memory of 1356	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	36
PID 2816 wrote to memory of 1356	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	36
PID 2816 wrote to memory of 1356	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	36
PID 2816 wrote to memory of 892	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	37
PID 2816 wrote to memory of 892	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	37
PID 2816 wrote to memory of 892	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	37
PID 2816 wrote to memory of 892	2816	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe	37

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe

C:\Users\Admin\AppData\Local\Temp\6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe
"C:\Users\Admin\AppData\Local\Temp\6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342eN.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2816
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2592
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1780
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1668
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1740
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2296
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1356
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\services.exe

Filesize
91KB

MD5
916bbdd3ba6e9f62bf4892472bd554e0

SHA1
486d600a97ac34ff4b80cc296b27adb77c76b45f

SHA256
6510d36249d7406d7cecd393ee965c6740bafec77693aad306742c457f33342e

SHA512
d5419c93a76c3ef6283f454a880d83ce880032c14ce58071836b7c93fd222f192c46f59ad92c537f6d850e46a805807d245c0d3e6b25184c0627237f115d6ce9

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
023207e75f7b78196284408086ea864b

SHA1
cd2499f2d9f608dab323d4be8fd04e64c0ddf506

SHA256
eabc6639e21d489c14b999aaa4214ab7eec902b534475b98333a15817b07a34c

SHA512
ed720cc5f3622e17c1c925f44b0f1991c0257d1bd8a4e77b00c3bd8d57bd60ab9db4a0baf531051a39db3c703e4dcf817f22eafad8c309196090aaa8851323d3

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
7b2ed8eb3b75635393cc5855093669bd

SHA1
49dca6019206403daa70da10603ab3822d2c1e30

SHA256
6196ca88eee4b840aa9d88f4e8bd92e594f94a212897bd6886b672ace8915d35

SHA512
c684f133b1158a2a78d36950fb6165bc01a8749dff64c67af9ba63c6b7035a2ba5428979aaa9dd99d9dcce87b6987d011d37a759ba8f91c8ab4cbc0ee618c7ca

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
f064849d04f3c264782f7b1848816cc0

SHA1
f03135b9b2413f179ce23eae42f3d58d667d3a6d

SHA256
6a6153b24de245108a7ebaf9e9efe61a68bf7e903af1706e9536e22f619c18fc

SHA512
abd13bc68cca83f6fa7e988de517d4cbf0376d113433958fb780e045e7c617f2bda1f12f2c53f806363da597fd124d2557167a1baed8016c0a4f1d20cb616ab9

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
0c4e7128d0f73f34c95ad420136db03f

SHA1
f76aa6f97b9535988714f65962923224a038d510

SHA256
4e0fd8b0d8b73d9b164bd72e0602fdefaaee5bf1605bb3a667a4b93572f77950

SHA512
6ec26b8a5acf588da64ff6bc522bed365fb6a22f8c7f4c034da60f16d708d1434e98cff24867cb5fd489b11d1e306cd022581b47162fff2cc17568c1c7f10418

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
8ce1a08a881944fb7c07151d3d805286

SHA1
6f38cf063d0711aee13eeef58c691c4f03391a4e

SHA256
8d7568f549cfe8f0a122e51afd0e9b08d8a2ddd8d0a90c1c6aaa397dddfefa0f

SHA512
b4973830dcdd2931ca99863e8eec3360ebbf7b05d9850ae3c4760213167d1f5228eceb78853f885e6dda01964f94737ee12db4e802e6febd67a0917e56c22571

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
9cae29c63134b386cef427baaff2fb51

SHA1
f1064bbfd82e303c8692ac4b3344e3f5404df76a

SHA256
c93ca6caceadc044de8851b9b7db9e0864b0bc894d89250c0105fbf31c7939ac

SHA512
9f36f8cf3268c8486063d30c86c0c48c9551ad8e45583f86e88e924a9c60b3775ed124b615172a13815d6944a00bd127325a7de0c67c19d7237d6ec52bc31966

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
94f4af2b553b390602de93621df2a40b

SHA1
c4141e8bc70da478db75a7abdf22cded2deaa5ca

SHA256
691a23ddb9f7f814bdc4f2629131e8d7b1f752fd65d81afe63a2dab021ea59a6

SHA512
3202767274752e287f453d103b68bdc96b860c06bf0420d47414741fcba43e6b74a9bf827202201b16f16a1de9ef7b959760de3fc9bbe077f8b0b1ab842d98de

Download Submit
memory/892-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1356-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1668-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1668-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1740-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1740-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1780-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2296-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2592-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2592-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-161-0x0000000002630000-0x000000000265F000-memory.dmp

Filesize
188KB

Download
memory/2816-148-0x0000000002630000-0x000000000265F000-memory.dmp

Filesize
188KB

Download
memory/2816-133-0x0000000002630000-0x000000000265F000-memory.dmp

Filesize
188KB

Download
memory/2816-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-172-0x0000000002630000-0x000000000265F000-memory.dmp

Filesize
188KB

Download
memory/2816-109-0x0000000002630000-0x000000000265F000-memory.dmp

Filesize
188KB

Download
memory/2816-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2816-108-0x0000000002630000-0x000000000265F000-memory.dmp

Filesize
188KB

Download
memory/2816-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download