ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58

Analysis

max time kernel
91s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Size

91KB
MD5

c7996b5ad648f9da525fb5c6a0df7db0
SHA1

995a13280c0006939adc202b75b2d7fae9c11fe3
SHA256

ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58
SHA512

11a34e7fd30f0c036a8e1d392537094d80534ae43f37e106d9f677fcca809a58877f80632e2cada22790b2843e27d8b11db9f047cfcfd7249f5f78cb24721fbd
SSDEEP

1536:zAwEmBZ04faWmtN4nic+6GQAwEmBZ04faWmtN4nic+6G9:zGms4Eton0QGms4Eton09

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
1396	xk.exe
2180	IExplorer.exe
2516	WINLOGON.EXE
2732	CSRSS.EXE
264	SERVICES.EXE
2508	LSASS.EXE
1028	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IExplorer.exe	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
File created	C:\Windows\SysWOW64\shell.exe	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
File created	C:\Windows\SysWOW64\Mig2.scr	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
File created	C:\Windows\xk.exe	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
1396	xk.exe
2180	IExplorer.exe
2516	WINLOGON.EXE
2732	CSRSS.EXE
264	SERVICES.EXE
2508	LSASS.EXE
1028	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 1396	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	30
PID 2636 wrote to memory of 1396	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	30
PID 2636 wrote to memory of 1396	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	30
PID 2636 wrote to memory of 1396	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	30
PID 2636 wrote to memory of 2180	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	31
PID 2636 wrote to memory of 2180	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	31
PID 2636 wrote to memory of 2180	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	31
PID 2636 wrote to memory of 2180	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	31
PID 2636 wrote to memory of 2516	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	32
PID 2636 wrote to memory of 2516	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	32
PID 2636 wrote to memory of 2516	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	32
PID 2636 wrote to memory of 2516	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	32
PID 2636 wrote to memory of 2732	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	33
PID 2636 wrote to memory of 2732	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	33
PID 2636 wrote to memory of 2732	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	33
PID 2636 wrote to memory of 2732	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	33
PID 2636 wrote to memory of 264	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	34
PID 2636 wrote to memory of 264	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	34
PID 2636 wrote to memory of 264	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	34
PID 2636 wrote to memory of 264	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	34
PID 2636 wrote to memory of 2508	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	35
PID 2636 wrote to memory of 2508	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	35
PID 2636 wrote to memory of 2508	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	35
PID 2636 wrote to memory of 2508	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	35
PID 2636 wrote to memory of 1028	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	36
PID 2636 wrote to memory of 1028	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	36
PID 2636 wrote to memory of 1028	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	36
PID 2636 wrote to memory of 1028	2636	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe	36

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe

C:\Users\Admin\AppData\Local\Temp\ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe
"C:\Users\Admin\AppData\Local\Temp\ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2636
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1396
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2180
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2516
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2732
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:264
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2508
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
0f33e6b767c759f4df4505978e52d471

SHA1
707714a08e21d5dac2c99f387d7b7243a3f3ed0e

SHA256
c03ff935042af8363fc02c5b02a7b25d152bd8bfb5424c279e3186409e794ac1

SHA512
d3e95e7ab7d7fc95ee032448ac39395f1c03751a678cf7306fd2032b70db0d783407e97e18982d765cfcdf7f646f0ef16976eb484cff295a239d08acab35f10d

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
c7996b5ad648f9da525fb5c6a0df7db0

SHA1
995a13280c0006939adc202b75b2d7fae9c11fe3

SHA256
ef19ea04fa0737a4dcd5b70e337b3dca2d22298ac0ab288c2b66abee9820bb58

SHA512
11a34e7fd30f0c036a8e1d392537094d80534ae43f37e106d9f677fcca809a58877f80632e2cada22790b2843e27d8b11db9f047cfcfd7249f5f78cb24721fbd

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
ea05c4e681767a70959fa9eddca70d42

SHA1
17893a02e0fb960ba2a2afca6049b55457b0a268

SHA256
7d07de23f4227a0e0af62bedcff3f45b371543bae0e05a270f60767675455cac

SHA512
d45d3d2f9453ef89a30db65aee6918fa7fce7339356be41aa827b177f14a89b58b1f93020c4797b7bcb3b50b4f9892616922b1ed1e7afa17514c610c9fae2e70

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
8805821d490e61d29b15f5f1c3526428

SHA1
97018262e8fe318028db50cc85cb12abadd60f25

SHA256
0c50a6dbd4c2b91edea78182f8b21dfb29790111c35b899d86dc4c27194f396c

SHA512
b1108a602a918dca52bd588294591db7d55b05611682b64d33bd27ba003df4c4b673119a13c0687b57d5d55320564f19b56ac2231f6e40e9ab3b901809412962

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
a273d12e7c7ec531aee5da2bb4bf9805

SHA1
e3faf7730cf3b9e8e370221cd212e5ade79dd419

SHA256
16ab886bd3cb0ac24d37331f5001d8a701b09e16a489c0632ed5d934e57b3620

SHA512
6395b4f15959f7e74b5bd46bdc8d145cbe7b4dd7069d2747d597f11bbec87fcdbd16dd36dc869c1661446bc5af296f5ef59e6d01702d2112e5563b2c0a598abc

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
e8839e594f9bdd0a1f249641f8e77a22

SHA1
ec572d088d71f49b3b719e704aef0cde732640ec

SHA256
c5351fa902fc96e73d140ed0fb67f1003a0c60ce0a3e8bd216769f8b6596a229

SHA512
3953b975a839fc616d5075bfb374d8f07716d093b2ee35c365c3d8530d90d1052570276a75757fd78b748907447b8ab60b5f5f8ae17cf2e34a64229cc01c255b

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
64b2caba34c8a2bfb915e9a239e27216

SHA1
495ceebd65077c25b4da54447d581e20c618f8b9

SHA256
3f006785564638bd119d4d9e3447760434a00797723d6c84f316b482d738695e

SHA512
1011ad08ad8c4378c023dd2d78156208cbde4bfaeb9e1ce49cece5648f1a1d93b7206b262488e167a36b67cd789806e85c74516eb0e272aa0d6053546f3753e8

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
77b183f6c57f7477e75d03817fc6a10f

SHA1
4cbd2a6cb8da856bc9d0ef6233b7b0a6f4514c1f

SHA256
de5f7810670f6f86ff6c06f8c108a8401d79d86ca8a98d5f4b72cbfdde0f3a99

SHA512
c0579a9e0944dcbbaeef6ed0a433870d65b100fedce3545cf9b4b2c39dfb6bc71275c3e7c24ad68bfd92f0f6d0afbc8af2ca338dcd6ba6e94d984a4ba6066c71

Download Submit
memory/264-169-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1028-192-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1396-116-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1396-112-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2180-129-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2180-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2508-179-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2516-143-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2636-150-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2636-149-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/2636-157-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/2636-163-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/2636-175-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/2636-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2636-136-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/2636-123-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/2636-110-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/2636-111-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/2636-191-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2732-154-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download