43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7b

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Size

45KB
MD5

097b86281d6791d219db3e87794fb060
SHA1

1a6cc5a02809ed2d5e58b61a4f8ba5607e9a42c1
SHA256

43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7b
SHA512

9cf82bd2c88d26f38ffb29976ed4a70f59d6ede7c053aab3260f16f5b5bdcc3b2f2549e9409133b13d8f12b58bd2a5a4af34277f2d2bf84024cc13ba0e92828a
SSDEEP

768:/mFQj8rM9whcqet8Wfb4JzRJwEIHU5U3rf12WmULgJs7DFK+5nECb:1AwEmBT4JzRJwEeUW7f12xULgJzCb

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2688	xk.exe
2280	IExplorer.exe
1956	WINLOGON.EXE
2808	CSRSS.EXE
2828	SERVICES.EXE
2964	LSASS.EXE
1528	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
File created	C:\Windows\SysWOW64\shell.exe	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
File created	C:\Windows\SysWOW64\Mig2.scr	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
File created	C:\Windows\xk.exe	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
2688	xk.exe
2280	IExplorer.exe
1956	WINLOGON.EXE
2808	CSRSS.EXE
2828	SERVICES.EXE
2964	LSASS.EXE
1528	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2688	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	31
PID 2476 wrote to memory of 2688	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	31
PID 2476 wrote to memory of 2688	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	31
PID 2476 wrote to memory of 2688	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	31
PID 2476 wrote to memory of 2280	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	32
PID 2476 wrote to memory of 2280	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	32
PID 2476 wrote to memory of 2280	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	32
PID 2476 wrote to memory of 2280	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	32
PID 2476 wrote to memory of 1956	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	33
PID 2476 wrote to memory of 1956	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	33
PID 2476 wrote to memory of 1956	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	33
PID 2476 wrote to memory of 1956	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	33
PID 2476 wrote to memory of 2808	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	34
PID 2476 wrote to memory of 2808	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	34
PID 2476 wrote to memory of 2808	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	34
PID 2476 wrote to memory of 2808	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	34
PID 2476 wrote to memory of 2828	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	35
PID 2476 wrote to memory of 2828	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	35
PID 2476 wrote to memory of 2828	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	35
PID 2476 wrote to memory of 2828	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	35
PID 2476 wrote to memory of 2964	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	36
PID 2476 wrote to memory of 2964	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	36
PID 2476 wrote to memory of 2964	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	36
PID 2476 wrote to memory of 2964	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	36
PID 2476 wrote to memory of 1528	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	37
PID 2476 wrote to memory of 1528	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	37
PID 2476 wrote to memory of 1528	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	37
PID 2476 wrote to memory of 1528	2476	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe	37

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe

C:\Users\Admin\AppData\Local\Temp\43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe
"C:\Users\Admin\AppData\Local\Temp\43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7bN.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2476
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2688
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2280
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1956
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2808
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2828
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2964
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
45KB

MD5
097b86281d6791d219db3e87794fb060

SHA1
1a6cc5a02809ed2d5e58b61a4f8ba5607e9a42c1

SHA256
43085352cab4a17df251d25b75a85fac2da3b777fc3c3e0a99c9270581b9aa7b

SHA512
9cf82bd2c88d26f38ffb29976ed4a70f59d6ede7c053aab3260f16f5b5bdcc3b2f2549e9409133b13d8f12b58bd2a5a4af34277f2d2bf84024cc13ba0e92828a

Download Submit
C:\Windows\xk.exe

Filesize
45KB

MD5
618d9f98d6b690297f51390401fc5f7f

SHA1
0ff9d115d5b004c82f9b29610ea0a48ced45346e

SHA256
d26290e1d800c545ac6c5f84add56bc9cde3b89847ffa0560d6c2f4d7e373ac9

SHA512
e1e135af1b3d16a77286c9a54dc02108aa9a973d72e9f0d6d5868ccbcf824ef1285733e0b22f43bce72156ff19d7c47efccf5b8a646cab3227a60a604d4f9ab0

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
45KB

MD5
b528f64542e731c7e8deeabc04cdf170

SHA1
e24848bf70ff0d485d414e4f4d73bb493ced4ef0

SHA256
46faab5fd55f69d4ac6ecc6324e1413e43d189b78f81d54fa83fe75930448232

SHA512
42d3127455b4af5d4fbacb7c99e4791a715a45758a12ca7ed77ebafc1c4b283a7b85e7d860a42657821b179c13cfbfe0b288e3fd68cd7236d58026875a6780dd

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
45KB

MD5
5e9a7fe4641268c544766e855985c283

SHA1
97bed914b4dc533daa17cb4d66b63e6a5fc36290

SHA256
d7a79f78c2233c70993f607c804348ce21753d10d3e461b623478bd95bdecefd

SHA512
cac56c72ba1f4510b2fea557afe01bbc02530aec5a39963ddcd592e4f95bd18b902aea79db90256df363be5bca02088b73212e0fd1d3c975f7a731ed4f565cf8

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
45KB

MD5
bdd89900bb60aee46fff46af15d5b9c1

SHA1
c5b9b1093747fddeb8d0de9d5a79395b8c666a41

SHA256
7e01950be4a00fa3c8b5f6961cb5cf95c6e8f59d4310f758798b53936946f53a

SHA512
ee015641ae4c4997d996a9969068bd935fe96049e75621854d7decae34f1cf296d9ba0fef19e5a5035477627be80d6ab60b6492469b35be0ad3d960ced61ee17

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
45KB

MD5
f3089803b566eee587e531d201f2bd5f

SHA1
f646204c447505e00f160d8f2d9f916337f8f922

SHA256
784c1295fb203f6cbb668d60550d246fe55ea3322ceb06fe51fcd2d54a56b39f

SHA512
bcc4de28684504f3bf606a257635a18fd5119075d2fd7bc4d0924a58a93621b2dd7bfd6163651f1b705c347b9ea117471a5f72e759540e9a2e8b03ab4b5ea4e5

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
45KB

MD5
06bead59695819fe03e393d2bbca8a47

SHA1
7ead0d0fbd0e848406b1b0c266a7277f2fecf153

SHA256
e8b51b53ef4c0b664b170b92f172a253500b3c73526d904254daed7935c59d2f

SHA512
8d72c4f85ad0c8e0e677bd909d1376f4fb00c2d62e8a6178c4904128ceb05203e40bda9cd4796536fe768e7005a6549024543543a6e6fda00a3dbd2782717359

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
45KB

MD5
3e7156740560b053f838b0232162cd75

SHA1
8fafeafcec2bfaf250622753181aff0796ea7a64

SHA256
e34a5475ae90bc716aa2f29ffdea4eb39f1c6fae9b8ed9624616e56db001ee9f

SHA512
c5b35038b1628196ad67be7b209219694b8c4d07e8cecde7b374f069006e312d706f3356567ad510453e66ce4ea1933a4d901d01fb451ec057c9f15580d81589

Download Submit
memory/1528-187-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1956-140-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2280-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2280-131-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2476-148-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2476-122-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/2476-123-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/2476-183-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/2476-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2476-137-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/2476-186-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2476-170-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/2476-106-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/2476-110-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/2688-115-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2808-149-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2808-152-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2828-162-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2964-175-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2964-171-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download