Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-10-2024 05:29
Behavioral task
behavioral1
Sample
afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Resource
win10v2004-20240802-en
General
-
Target
afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
-
Size
91KB
-
MD5
b0fa0a9b8123ddaebdfbccaa15c812f0
-
SHA1
4ecd5296b548cc2c03893bb59651ef39c9d5cae4
-
SHA256
afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26
-
SHA512
53f28afaf51b48158d045d4878144351d54d15978233f13b24aa69e29a6da09bd6e024fed4871d7a2182500e1dc3c5919f0ff811e7d5a60f868a46b834dbf03e
-
SSDEEP
1536:XJRtlEnBHHIgabuYotV/JbJCX5SBinJRtlEnBHHIgabuYotV/JbJCX5SBiE:XvtYxOuYotvYQInvtYxOuYotvYQIE
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 7 IoCs
pid Process 2492 xk.exe 2592 IExplorer.exe 2468 WINLOGON.EXE 3032 CSRSS.EXE 872 SERVICES.EXE 1732 LSASS.EXE 1628 SMSS.EXE -
Loads dropped DLL 12 IoCs
pid Process 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell.exe afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe File created C:\Windows\SysWOW64\shell.exe afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe File created C:\Windows\SysWOW64\Mig2.scr afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe File created C:\Windows\SysWOW64\IExplorer.exe afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe File opened for modification C:\Windows\SysWOW64\Mig2.scr afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
resource yara_rule behavioral1/memory/1364-0-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/files/0x0007000000016b86-8.dat upx behavioral1/memory/2492-112-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/files/0x0007000000016edc-109.dat upx behavioral1/files/0x00060000000175f1-123.dat upx behavioral1/memory/2492-122-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/2592-127-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/files/0x000d000000018683-134.dat upx behavioral1/files/0x0005000000018697-138.dat upx behavioral1/memory/2468-141-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/1364-155-0x0000000000570000-0x000000000059F000-memory.dmp upx behavioral1/files/0x0005000000018706-153.dat upx behavioral1/memory/3032-152-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/1364-160-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/files/0x000500000001870c-172.dat upx behavioral1/memory/872-171-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/1732-177-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/files/0x000500000001871c-178.dat upx behavioral1/memory/1628-191-0x0000000000400000-0x000000000042F000-memory.dmp upx behavioral1/memory/1364-192-0x0000000000400000-0x000000000042F000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\xk.exe afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe File created C:\Windows\xk.exe afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe -
Modifies Control Panel 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 2492 xk.exe 2592 IExplorer.exe 2468 WINLOGON.EXE 3032 CSRSS.EXE 872 SERVICES.EXE 1732 LSASS.EXE 1628 SMSS.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1364 wrote to memory of 2492 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 28 PID 1364 wrote to memory of 2492 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 28 PID 1364 wrote to memory of 2492 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 28 PID 1364 wrote to memory of 2492 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 28 PID 1364 wrote to memory of 2592 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 29 PID 1364 wrote to memory of 2592 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 29 PID 1364 wrote to memory of 2592 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 29 PID 1364 wrote to memory of 2592 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 29 PID 1364 wrote to memory of 2468 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 30 PID 1364 wrote to memory of 2468 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 30 PID 1364 wrote to memory of 2468 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 30 PID 1364 wrote to memory of 2468 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 30 PID 1364 wrote to memory of 3032 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 31 PID 1364 wrote to memory of 3032 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 31 PID 1364 wrote to memory of 3032 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 31 PID 1364 wrote to memory of 3032 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 31 PID 1364 wrote to memory of 872 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 32 PID 1364 wrote to memory of 872 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 32 PID 1364 wrote to memory of 872 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 32 PID 1364 wrote to memory of 872 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 32 PID 1364 wrote to memory of 1732 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 33 PID 1364 wrote to memory of 1732 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 33 PID 1364 wrote to memory of 1732 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 33 PID 1364 wrote to memory of 1732 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 33 PID 1364 wrote to memory of 1628 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 34 PID 1364 wrote to memory of 1628 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 34 PID 1364 wrote to memory of 1628 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 34 PID 1364 wrote to memory of 1628 1364 afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe 34 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe"C:\Users\Admin\AppData\Local\Temp\afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1364 -
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2492
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2592
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2468
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3032
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:872
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1732
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1628
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD55d5ad67ffe9db3690c9786d6a833d697
SHA1ef8cc5b452e0a2f5274e9fa39de86f8187cc3f29
SHA25643c7514c59bb58fbd514332557c32a3f950a7241dd4abdfc50853065bac7ddb7
SHA512398b9ff8899b1e43a3f1553255c0df094e98a5b4b87812e7b952d425d8a7597696571301b3a8569b12c962b29d78ce238e0ea2bd098e62fe9f1cdc0152e2f381
-
Filesize
91KB
MD5eca7269b264b2baf59f75402d72beb55
SHA14af9513cf1caf086becc59ad005e28bb110a0115
SHA256d1860cc3e29855c0ed65d802df8b308a2e98fba98b05d546d51abce5c2697b12
SHA51273c85cf1597799a5d3f95f3e1facd8ab89e81700973550e5f408bb3a15cd87f6e94ec2e302a0fa6460f7a847fb161cbb236583e3f64b29411d24d7193e468853
-
Filesize
91KB
MD5b0fa0a9b8123ddaebdfbccaa15c812f0
SHA14ecd5296b548cc2c03893bb59651ef39c9d5cae4
SHA256afa224057e387fac8853296ca4591353be3ef5b14e590dce55e010e372f12c26
SHA51253f28afaf51b48158d045d4878144351d54d15978233f13b24aa69e29a6da09bd6e024fed4871d7a2182500e1dc3c5919f0ff811e7d5a60f868a46b834dbf03e
-
Filesize
91KB
MD583a0211a1eeff51ab8099dd526400f53
SHA156ad4d1bf3d6e01dd17b9f43bd5e8935d719717e
SHA256daf90f1a43b9f06c2a3154bb14013e03e307115416e2ec02640ec68930bdfc63
SHA5129341dab28f7b41a828aafe376df706d8d1ca215964131d3abec9d5a035f5173f8bfad1558107e99d8af6426d37bbdc1d088dde4ce86d536ffc2f2b80693965f5
-
Filesize
91KB
MD5a229d8bd0831a7449d1a8c586f4de71e
SHA11f7995294126e9703570b6fee14494ead76bbfa4
SHA256998de07d9bc119b85b673e558d656e836853fd0c5bc0a2a20eb472b39e19d7e8
SHA512af52c1efc0d3a8e1da816b3aac59f7ee2f536cfe9363a49ccaddf2a80b7f0d9a78e799c8d040bbdb637532f08e7aea9aa95b61f21ceaed759fae1590d7b4419a
-
Filesize
91KB
MD5d83f3222092568b8020be5198393b884
SHA1955f692738a6bb83a062e473e8084369926614a4
SHA2560f33ab6ffc4ba1df64ac47d5c0aab86f92cd60fdf2886b89201a0623f55feae0
SHA512ea97db3dcb04b7090f46f8b82d7ca63b7582c5fa446a832be76d5a5efcec41b0e251a03ff2c95b2bc3bf717bf480858c945b7b03133682e001dbef632bc89e0e
-
Filesize
91KB
MD54857c714b4b88fabc33f62159e9216c6
SHA1181333f3e54904a0a0fec48efcd26e62bac01d4c
SHA256932dbb74aeb82c0b290934642c92fe899cae42d74650b8d1a61a0d4727d87757
SHA5121020796973f1ea4b1c110d4e8f39b03406144b9b132cf1cafaa55ebe737595f36984bd58fd5706f9d057e5f1fa5863034741d0c30d649ee410416d7a634f2856
-
Filesize
91KB
MD5d6cf6e8d8e3b3841abd13db26165d334
SHA1e10fcf5152ab9a4d53a00c536dbb512033f1f8c6
SHA256babbd92cf650122253e0315d418e904c42ad2d9c671eea9084f234d61da78ab8
SHA5125403a31ab34c4a7c999afd120f60e4d049defc6805d8d325eb1e6ffc14faf06fb84c074621e25df1fdb6d4b597e698aa82206be878d47957c9b4c02ec01365d0