8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337dae

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-10-2024 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Size

90KB
MD5

d1967e784a6e8b6dab51c2b1396622d0
SHA1

b1a534ec8a8a893ca9204091695710204e81e6e9
SHA256

8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337dae
SHA512

2fe3a83d5bec55100e9857038cfed2a9c706135b6d898f3a874d1ceaa59c1ae65f520b53f4d02aa6778c514fccede9357092e9c6384e30266a1cc0e4c5122cad
SSDEEP

1536:XRsjdLaslqdBXvTUL0Hnouy8VjsRsjdLaslqdBXvTUL0Hnouy8Vj:XOJKqsout9sOJKqsout9

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
380	xk.exe
2708	IExplorer.exe
1444	WINLOGON.EXE
2840	CSRSS.EXE
1500	SERVICES.EXE
1988	LSASS.EXE
1860	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
File created	C:\Windows\SysWOW64\shell.exe	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
File created	C:\Windows\SysWOW64\Mig2.scr	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/580-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00060000000193c4-8.dat	upx
behavioral1/memory/580-106-0x0000000000340000-0x000000000036F000-memory.dmp	upx
behavioral1/memory/380-111-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019621-110.dat	upx
behavioral1/files/0x0005000000019629-115.dat	upx
behavioral1/memory/380-116-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2708-126-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001967d-135.dat	upx
behavioral1/memory/1444-139-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/580-142-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00050000000196be-140.dat	upx
behavioral1/files/0x00050000000196f6-150.dat	upx
behavioral1/memory/2840-152-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1500-161-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001998a-162.dat	upx
behavioral1/memory/1988-175-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019c43-176.dat	upx
behavioral1/memory/1860-186-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/580-187-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
File created	C:\Windows\xk.exe	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
380	xk.exe
2708	IExplorer.exe
1444	WINLOGON.EXE
2840	CSRSS.EXE
1500	SERVICES.EXE
1988	LSASS.EXE
1860	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 380	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	31
PID 580 wrote to memory of 380	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	31
PID 580 wrote to memory of 380	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	31
PID 580 wrote to memory of 380	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	31
PID 580 wrote to memory of 2708	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	32
PID 580 wrote to memory of 2708	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	32
PID 580 wrote to memory of 2708	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	32
PID 580 wrote to memory of 2708	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	32
PID 580 wrote to memory of 1444	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	33
PID 580 wrote to memory of 1444	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	33
PID 580 wrote to memory of 1444	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	33
PID 580 wrote to memory of 1444	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	33
PID 580 wrote to memory of 2840	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	34
PID 580 wrote to memory of 2840	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	34
PID 580 wrote to memory of 2840	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	34
PID 580 wrote to memory of 2840	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	34
PID 580 wrote to memory of 1500	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	35
PID 580 wrote to memory of 1500	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	35
PID 580 wrote to memory of 1500	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	35
PID 580 wrote to memory of 1500	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	35
PID 580 wrote to memory of 1988	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	36
PID 580 wrote to memory of 1988	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	36
PID 580 wrote to memory of 1988	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	36
PID 580 wrote to memory of 1988	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	36
PID 580 wrote to memory of 1860	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	37
PID 580 wrote to memory of 1860	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	37
PID 580 wrote to memory of 1860	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	37
PID 580 wrote to memory of 1860	580	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe	37

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe

C:\Users\Admin\AppData\Local\Temp\8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe
"C:\Users\Admin\AppData\Local\Temp\8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337daeN.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:580
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:380
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2708
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1444
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2840
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1500
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1988
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
90KB

MD5
934b348fb728ddc0a4b4cc2c4e5a04bd

SHA1
d3f355eddd6c31da4df058b45f58a34a198eaa21

SHA256
98b4adcc4f833e213a51ec33a445cb44e98c1512a70cded6b96528a8da363f82

SHA512
11e90d4b7db03ac5039322900e513728e2ece50bdb5bfbceb00db5188cfb431a124d71e85f00bc81d2ed86dd7d6163e09d2b393b68bb822e743234d248a078b0

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
90KB

MD5
d1967e784a6e8b6dab51c2b1396622d0

SHA1
b1a534ec8a8a893ca9204091695710204e81e6e9

SHA256
8e50577e94a3638908c05be5df1f482e40ebcaaaf71bbc801031770c1e337dae

SHA512
2fe3a83d5bec55100e9857038cfed2a9c706135b6d898f3a874d1ceaa59c1ae65f520b53f4d02aa6778c514fccede9357092e9c6384e30266a1cc0e4c5122cad

Download Submit
C:\Windows\xk.exe

Filesize
90KB

MD5
8520c27c98daa411aa6e3aa0711a2a62

SHA1
42ed6bbc200387c42c99f793a4f6c4c46cccb3a2

SHA256
7642f1046c2f70527596b6c757aa6783136286a222d8733c395f7aa69a955216

SHA512
8f09d34a610daab2d46186239211deb650da9f2fd50a1b9432657e062b54632b43869c121791cf74834cdea5c4a4ebd0c5be60331945aeeec96256387490d28e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
90KB

MD5
9b7e2ee3d0621f4ed20f664aecf46ca0

SHA1
c673b4c4dc2f783baeb7452ea9e8dda39bd2c846

SHA256
9d9bae6615837d11e33e6fbd844eba4b1977711578599304fb0efef1b39d1fd4

SHA512
8c884220035d04239590277cb6d8c374f06cec30c80b2dbbd0e6aa7d9e7264ca7fda66983cf4796befc9a841d4067600ea4f916ecb21d808bf139acad5584b0d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
90KB

MD5
aa1093add0fcf2d2eab9c964db823f0b

SHA1
a2f89801238c36102b5de763d1493b523dcaf56d

SHA256
83b86797d521eac850a2c97707a7217d3abd9193dc22f394a852610f637c23bd

SHA512
0156fb5d3bc5ced9c26aed0e627c0a1097132f2eb7bb22b2decf04665c1110e23886bd076131f93fc3c4df5bd6b1f816837ca05c3e60efd8ffe48dd7f7aa6ddd

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
90KB

MD5
daa00def96c69ee26c7742904454fc65

SHA1
ce8d4369c017c4727bd4f4cf57f175cef34be428

SHA256
8d2f9caca86fbd017f353896e20c47823488c435b30683cdc28f8350fb7b880f

SHA512
9d615906e9afa521feb9c24246268824cbee3d941494a4caa02970ff781af500d9f7f5488ce097f93c4f674e73f54de5f86c98115f56b8162080702fcf45efc6

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
90KB

MD5
0380bf44ac542959c6a62d4432d0cb28

SHA1
0efbef20e35e8a2dab8f5eaed2c90be579c59f45

SHA256
016ef807b9f02088468a2eb3ceb68cee1f713bf1e552a53527378214539d7b1c

SHA512
e86762fa062eb98fde7b1f9c7dfb24381921abc41605b60f48c49dab79604b29dc12033e2ae91872b599bf24d799ac5f7b23325bc8da4144107dd3a7c652a8d5

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
90KB

MD5
973b6cdb9c09c3cc23fd0bf48b323f5e

SHA1
115d3918ae90ed688bb56e36b43f0e0fb9200d8c

SHA256
0171c6acbf47d59450cdba2157890b5750a936fb52d11653ecaeb6a9ec1874ca

SHA512
802f1aac161704636a754a56046cc6be9e840af6c0556772b7060c7028bd62283afff57e806103e57f96ae27c850016f6ee0fdb99dd656ad988700c16dd8b81e

Download Submit
memory/380-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/380-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/580-106-0x0000000000340000-0x000000000036F000-memory.dmp

Filesize
188KB

Download
memory/580-180-0x0000000000340000-0x000000000036F000-memory.dmp

Filesize
188KB

Download
memory/580-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/580-122-0x0000000000340000-0x000000000036F000-memory.dmp

Filesize
188KB

Download
memory/580-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/580-134-0x0000000000340000-0x000000000036F000-memory.dmp

Filesize
188KB

Download
memory/580-187-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/580-168-0x0000000000340000-0x000000000036F000-memory.dmp

Filesize
188KB

Download
memory/580-133-0x0000000000340000-0x000000000036F000-memory.dmp

Filesize
188KB

Download
memory/1444-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1500-161-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1988-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2840-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download