5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dba

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/10/2024, 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Size

91KB
MD5

728b97f63b71df9efe6bd1da5bcc2650
SHA1

d9ed86dbe14b55d900ba84ad4668f0df1671f43c
SHA256

5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dba
SHA512

bb2ba4919d82202d5211f117e77c666ffbc2e4b04483ace2714d3d0d3cc6545d91b3ff77bc5666a21a42bae07e5d22e692a4392cea83c40602b838c985a75e61
SSDEEP

1536:1AwEmBT4JzRJwEeUW7f12xULgJziAwEmBT4JzRJwEeUW7f12xULgJzA:1Gml41LBu7f1WNiGml41LBu7f1WNA

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2648	xk.exe
2876	IExplorer.exe
1360	WINLOGON.EXE
1652	CSRSS.EXE
2136	SERVICES.EXE
1724	LSASS.EXE
1428	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell.exe	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
File created	C:\Windows\SysWOW64\Mig2.scr	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
File created	C:\Windows\xk.exe	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
2648	xk.exe
2876	IExplorer.exe
1360	WINLOGON.EXE
1652	CSRSS.EXE
2136	SERVICES.EXE
1724	LSASS.EXE
1428	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2648	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	31
PID 2096 wrote to memory of 2648	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	31
PID 2096 wrote to memory of 2648	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	31
PID 2096 wrote to memory of 2648	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	31
PID 2096 wrote to memory of 2876	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	32
PID 2096 wrote to memory of 2876	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	32
PID 2096 wrote to memory of 2876	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	32
PID 2096 wrote to memory of 2876	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	32
PID 2096 wrote to memory of 1360	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	33
PID 2096 wrote to memory of 1360	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	33
PID 2096 wrote to memory of 1360	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	33
PID 2096 wrote to memory of 1360	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	33
PID 2096 wrote to memory of 1652	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	34
PID 2096 wrote to memory of 1652	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	34
PID 2096 wrote to memory of 1652	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	34
PID 2096 wrote to memory of 1652	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	34
PID 2096 wrote to memory of 2136	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	35
PID 2096 wrote to memory of 2136	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	35
PID 2096 wrote to memory of 2136	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	35
PID 2096 wrote to memory of 2136	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	35
PID 2096 wrote to memory of 1724	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	36
PID 2096 wrote to memory of 1724	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	36
PID 2096 wrote to memory of 1724	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	36
PID 2096 wrote to memory of 1724	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	36
PID 2096 wrote to memory of 1428	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	37
PID 2096 wrote to memory of 1428	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	37
PID 2096 wrote to memory of 1428	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	37
PID 2096 wrote to memory of 1428	2096	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe	37

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe

C:\Users\Admin\AppData\Local\Temp\5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe
"C:\Users\Admin\AppData\Local\Temp\5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dbaN.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2096
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2648
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2876
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1360
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1652
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2136
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1724
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
728b97f63b71df9efe6bd1da5bcc2650

SHA1
d9ed86dbe14b55d900ba84ad4668f0df1671f43c

SHA256
5ed4e8f8ca033175393d16144c99a9e6adbbfeb5dbe24b6bdac83dde2b651dba

SHA512
bb2ba4919d82202d5211f117e77c666ffbc2e4b04483ace2714d3d0d3cc6545d91b3ff77bc5666a21a42bae07e5d22e692a4392cea83c40602b838c985a75e61

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
fe5b25b76817a87a4d5267488b38ba92

SHA1
336b7bf7176029b81f9cffaf95a3bea1b2a91094

SHA256
dde7582a79a4adf76b3159be6342d4828d227a899060966125e959e92ec7ad00

SHA512
3d02c410f23834f5738a0f17965cc08e937d202ab97b64bb0a4291f5cea9d465277195321a45d5d240c3ed7a39f7d322e0c45e3a3554cd8b705a9c08c76c142e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
9c2c4ff5281cf7ece9d328fabc8f5b49

SHA1
04b0bc46094fc67fb573d4dc3e8ea2c7361d8850

SHA256
4314a89199bf9e8362d6c087ad6569260eeda5dcf07c3e855399bf48bfbb7bf5

SHA512
20262d28d3c0ba2854aebbf378f2cd2e9f464d9ca78995d10f00c1a6157aa4ed263285e2514b3f99c489858db6b4c81ba94ba77404da3c8f7495891f4504eee9

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
0e18bb9e5fde245803bd0464958f70f1

SHA1
9651ddf02429980987274e756d895b3b47b77bec

SHA256
15305f6857bbc7e0b2cf660a41a6f2a494f3476391f94aff9ca408955ed265b6

SHA512
879a13e2f8010c702805b1d2732606e7c4d558198221e473108afb441f7323392c0a8cd159182f396faa0e0c9c6ef1ebdd591aa95a1cb8f7b628b6d27691ced8

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
2373e8dc9265acca08bf6ab3f38e96d5

SHA1
cd1428f6d8c9c26cab1a451909d11d6a3a18b120

SHA256
470a28df233b1f41312f9fa572f76ec70870d3a724124c1268e9ddd416391061

SHA512
f0f4b2b4aaad276192239b3929631cd5abed76600c2acc1f9aaeb6b27cf1db51a215cbb44ebf4cc7570538e9264894e37982b86e78368ccc04727c283c14af16

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
13b6eb0e50af1f879915789dd1a5b2c3

SHA1
5b0b59504011e7a1478ade57cd1173b26c4d432c

SHA256
e4b3d7740b1590ad3cab0c29dfb27dcc5732ea9c9c809dd02f11ce6c0443a38b

SHA512
155fa84db75d7dd966422a124b540e5d4cbcf8370e8fe5f329a72f635fbbb5fc3bfdfaab4a680d60990df56e372c1d09e4f52eb2d9b610641d47b6a11d1ec727

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
eabb76627dc8470dd36f0ec03035fadf

SHA1
8268c8e5eac1d92ecf62ab1e5ed653bb418fa612

SHA256
b1fa49a22ad9b091810963633010ff66a0f226f9fad07cbde5ae9d6eb390d51c

SHA512
b3c4469223be573772603f7880720d83185197b55e4bde26b9641bd43a3612c0780f285d8e758de843ed8752ff963b91cdc31d52bf83776cc759365ecd191134

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
b4aa652f218cd73eab3b50aad87ed5aa

SHA1
b724e6ff7aaee60a03711949d4de4fb1a1f73a92

SHA256
f1fa60370068a8f2a5674539898f594be023dd41585dc840bc056c850b760307

SHA512
2ff05536f412875b62e204308672a6337a93512604db514b319d735af40c109400c70acef4acc193c3304b1b9255ecb38dc6dc3f301ffbf34c6b11b4b8eb8bdb

Download Submit
memory/1360-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1360-145-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1428-193-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1652-159-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1724-181-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2096-124-0x00000000004C0000-0x00000000004EE000-memory.dmp

Filesize
184KB

Download
memory/2096-187-0x00000000004C0000-0x00000000004EE000-memory.dmp

Filesize
184KB

Download
memory/2096-137-0x00000000004C0000-0x00000000004EE000-memory.dmp

Filesize
184KB

Download
memory/2096-194-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2096-153-0x00000000004C0000-0x00000000004EE000-memory.dmp

Filesize
184KB

Download
memory/2096-147-0x00000000004C0000-0x00000000004EE000-memory.dmp

Filesize
184KB

Download
memory/2096-146-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2096-123-0x00000000004C0000-0x00000000004EE000-memory.dmp

Filesize
184KB

Download
memory/2096-186-0x00000000004C0000-0x00000000004EE000-memory.dmp

Filesize
184KB

Download
memory/2096-110-0x00000000004C0000-0x00000000004EE000-memory.dmp

Filesize
184KB

Download
memory/2096-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2096-109-0x00000000004C0000-0x00000000004EE000-memory.dmp

Filesize
184KB

Download
memory/2136-170-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2648-122-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2648-112-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2876-132-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2876-126-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download