afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-10-2024 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Size

91KB
MD5

b0fa0a9b8123ddaebdfbccaa15c812f0
SHA1

4ecd5296b548cc2c03893bb59651ef39c9d5cae4
SHA256

afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26
SHA512

53f28afaf51b48158d045d4878144351d54d15978233f13b24aa69e29a6da09bd6e024fed4871d7a2182500e1dc3c5919f0ff811e7d5a60f868a46b834dbf03e
SSDEEP

1536:XJRtlEnBHHIgabuYotV/JbJCX5SBinJRtlEnBHHIgabuYotV/JbJCX5SBiE:XvtYxOuYotvYQInvtYxOuYotvYQIE

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2492	xk.exe
2592	IExplorer.exe
2468	WINLOGON.EXE
3032	CSRSS.EXE
872	SERVICES.EXE
1732	LSASS.EXE
1628	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
File created	C:\Windows\SysWOW64\shell.exe	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
File created	C:\Windows\SysWOW64\Mig2.scr	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1364-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000016b86-8.dat	upx
behavioral1/memory/2492-112-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000016edc-109.dat	upx
behavioral1/files/0x00060000000175f1-123.dat	upx
behavioral1/memory/2492-122-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2592-127-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000d000000018683-134.dat	upx
behavioral1/files/0x0005000000018697-138.dat	upx
behavioral1/memory/2468-141-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1364-155-0x0000000000570000-0x000000000059F000-memory.dmp	upx
behavioral1/files/0x0005000000018706-153.dat	upx
behavioral1/memory/3032-152-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1364-160-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001870c-172.dat	upx
behavioral1/memory/872-171-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1732-177-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001871c-178.dat	upx
behavioral1/memory/1628-191-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1364-192-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
File created	C:\Windows\xk.exe	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
2492	xk.exe
2592	IExplorer.exe
2468	WINLOGON.EXE
3032	CSRSS.EXE
872	SERVICES.EXE
1732	LSASS.EXE
1628	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2492	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	28
PID 1364 wrote to memory of 2492	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	28
PID 1364 wrote to memory of 2492	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	28
PID 1364 wrote to memory of 2492	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	28
PID 1364 wrote to memory of 2592	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	29
PID 1364 wrote to memory of 2592	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	29
PID 1364 wrote to memory of 2592	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	29
PID 1364 wrote to memory of 2592	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	29
PID 1364 wrote to memory of 2468	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	30
PID 1364 wrote to memory of 2468	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	30
PID 1364 wrote to memory of 2468	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	30
PID 1364 wrote to memory of 2468	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	30
PID 1364 wrote to memory of 3032	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	31
PID 1364 wrote to memory of 3032	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	31
PID 1364 wrote to memory of 3032	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	31
PID 1364 wrote to memory of 3032	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	31
PID 1364 wrote to memory of 872	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	32
PID 1364 wrote to memory of 872	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	32
PID 1364 wrote to memory of 872	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	32
PID 1364 wrote to memory of 872	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	32
PID 1364 wrote to memory of 1732	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	33
PID 1364 wrote to memory of 1732	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	33
PID 1364 wrote to memory of 1732	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	33
PID 1364 wrote to memory of 1732	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	33
PID 1364 wrote to memory of 1628	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	34
PID 1364 wrote to memory of 1628	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	34
PID 1364 wrote to memory of 1628	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	34
PID 1364 wrote to memory of 1628	1364	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe

C:\Users\Admin\AppData\Local\Temp\afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
"C:\Users\Admin\AppData\Local\Temp\afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1364
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2492
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2592
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2468
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3032
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:872
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1732
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
5d5ad67ffe9db3690c9786d6a833d697

SHA1
ef8cc5b452e0a2f5274e9fa39de86f8187cc3f29

SHA256
43c7514c59bb58fbd514332557c32a3f950a7241dd4abdfc50853065bac7ddb7

SHA512
398b9ff8899b1e43a3f1553255c0df094e98a5b4b87812e7b952d425d8a7597696571301b3a8569b12c962b29d78ce238e0ea2bd098e62fe9f1cdc0152e2f381

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
eca7269b264b2baf59f75402d72beb55

SHA1
4af9513cf1caf086becc59ad005e28bb110a0115

SHA256
d1860cc3e29855c0ed65d802df8b308a2e98fba98b05d546d51abce5c2697b12

SHA512
73c85cf1597799a5d3f95f3e1facd8ab89e81700973550e5f408bb3a15cd87f6e94ec2e302a0fa6460f7a847fb161cbb236583e3f64b29411d24d7193e468853

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
b0fa0a9b8123ddaebdfbccaa15c812f0

SHA1
4ecd5296b548cc2c03893bb59651ef39c9d5cae4

SHA256
afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26

SHA512
53f28afaf51b48158d045d4878144351d54d15978233f13b24aa69e29a6da09bd6e024fed4871d7a2182500e1dc3c5919f0ff811e7d5a60f868a46b834dbf03e

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
83a0211a1eeff51ab8099dd526400f53

SHA1
56ad4d1bf3d6e01dd17b9f43bd5e8935d719717e

SHA256
daf90f1a43b9f06c2a3154bb14013e03e307115416e2ec02640ec68930bdfc63

SHA512
9341dab28f7b41a828aafe376df706d8d1ca215964131d3abec9d5a035f5173f8bfad1558107e99d8af6426d37bbdc1d088dde4ce86d536ffc2f2b80693965f5

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
a229d8bd0831a7449d1a8c586f4de71e

SHA1
1f7995294126e9703570b6fee14494ead76bbfa4

SHA256
998de07d9bc119b85b673e558d656e836853fd0c5bc0a2a20eb472b39e19d7e8

SHA512
af52c1efc0d3a8e1da816b3aac59f7ee2f536cfe9363a49ccaddf2a80b7f0d9a78e799c8d040bbdb637532f08e7aea9aa95b61f21ceaed759fae1590d7b4419a

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
d83f3222092568b8020be5198393b884

SHA1
955f692738a6bb83a062e473e8084369926614a4

SHA256
0f33ab6ffc4ba1df64ac47d5c0aab86f92cd60fdf2886b89201a0623f55feae0

SHA512
ea97db3dcb04b7090f46f8b82d7ca63b7582c5fa446a832be76d5a5efcec41b0e251a03ff2c95b2bc3bf717bf480858c945b7b03133682e001dbef632bc89e0e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
4857c714b4b88fabc33f62159e9216c6

SHA1
181333f3e54904a0a0fec48efcd26e62bac01d4c

SHA256
932dbb74aeb82c0b290934642c92fe899cae42d74650b8d1a61a0d4727d87757

SHA512
1020796973f1ea4b1c110d4e8f39b03406144b9b132cf1cafaa55ebe737595f36984bd58fd5706f9d057e5f1fa5863034741d0c30d649ee410416d7a634f2856

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
d6cf6e8d8e3b3841abd13db26165d334

SHA1
e10fcf5152ab9a4d53a00c536dbb512033f1f8c6

SHA256
babbd92cf650122253e0315d418e904c42ad2d9c671eea9084f234d61da78ab8

SHA512
5403a31ab34c4a7c999afd120f60e4d049defc6805d8d325eb1e6ffc14faf06fb84c074621e25df1fdb6d4b597e698aa82206be878d47957c9b4c02ec01365d0

Download Submit
memory/872-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1364-147-0x0000000000570000-0x000000000059F000-memory.dmp

Filesize
188KB

Download
memory/1364-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1364-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1364-185-0x0000000000570000-0x000000000059F000-memory.dmp

Filesize
188KB

Download
memory/1364-148-0x0000000000570000-0x000000000059F000-memory.dmp

Filesize
188KB

Download
memory/1364-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1364-155-0x0000000000570000-0x000000000059F000-memory.dmp

Filesize
188KB

Download
memory/1364-180-0x0000000000570000-0x000000000059F000-memory.dmp

Filesize
188KB

Download
memory/1364-111-0x0000000000570000-0x000000000059F000-memory.dmp

Filesize
188KB

Download
memory/1364-135-0x0000000000570000-0x000000000059F000-memory.dmp

Filesize
188KB

Download
memory/1364-173-0x0000000000570000-0x000000000059F000-memory.dmp

Filesize
188KB

Download
memory/1364-110-0x0000000000570000-0x000000000059F000-memory.dmp

Filesize
188KB

Download
memory/1628-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1732-177-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2468-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-122-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2592-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download