Malware Analysis Report

2025-08-06 01:19

Sample ID 241107-sfsypavblg
Target ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN
SHA256 ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47f
Tags
upx discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47f

Threat Level: Known bad

The file ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN was found to be: Known bad.

Malicious Activity Summary

upx discovery evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables use of System Restore points

Disables RegEdit via registry modification

Executes dropped EXE

Loads dropped DLL

Modifies system executable filetype association

Adds Run key to start application

Drops file in System32 directory

UPX packed file

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

System policy modification

Suspicious use of SetWindowsHookEx

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 15:04

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 15:04

Reported

2024-11-07 15:06

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\xk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 804 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Windows\xk.exe
PID 804 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Windows\xk.exe
PID 804 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Windows\xk.exe
PID 804 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Windows\xk.exe
PID 804 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 804 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 804 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 804 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 804 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 804 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 804 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 804 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 804 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 804 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 804 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 804 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 804 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 804 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 804 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 804 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 804 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 804 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 804 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 804 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 804 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 804 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 804 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 804 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe

"C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

N/A

Files

memory/804-1-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 07f35139b8c124c730d8c073b7b9cfc0
SHA1 1bda918d117b2e20ff9543c03a4abaeb799119fa
SHA256 ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47f
SHA512 ee478bbcf7273843d31cc5e77df4612edf12d2dfcc3a19e08e27ed38fa63b004df23265cbc9644bdd1bb3f23fb894b4fc366b25e8afe9fc9b40c50fdc382488f

memory/2680-112-0x0000000000400000-0x000000000042F000-memory.dmp

memory/804-111-0x00000000030E0000-0x000000000310F000-memory.dmp

memory/804-110-0x00000000030E0000-0x000000000310F000-memory.dmp

C:\Windows\xk.exe

MD5 a85a1c8b5b2e31fb3c2a6869eebc3f6c
SHA1 f5d2e05c4e2e6b26c3e3f62710b746e1245526f8
SHA256 150151fd93154ad4479dbf0ed1932b80cd2f5d07abae865e8c5a503dad8e52df
SHA512 c4f657ab70eb9e547c32e98188cd3c6a7bbb13e85506c4970e24ca70793958f897c468c1a38fc7553f7323bd00cbaacd49ce1a3522b3de71df775cfcc1baba02

\Windows\SysWOW64\IExplorer.exe

MD5 6bdc73ecfa102cd08af218df9c48ae6f
SHA1 a60d094c2445948e5ae9198a27ff36de1822b066
SHA256 8f9b39b8a75e36c548091e3c8ca65106e5b25f32f359d2ac1fabd12ef9d84d3f
SHA512 5de428f3a67cb0d8d3ac866db9954f22213b04d08d154c13bb1939787bfeaf4917bec74d4ecdcb69d7d0ee517fdd8338dbb370c97910f3d399d3a4acf5a3f0df

memory/2680-122-0x0000000000400000-0x000000000042F000-memory.dmp

memory/680-127-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 6d8e869ce04fe543dd6953fd60db37c6
SHA1 f119b3fbc988325a5995c86d62d48fcbebf22305
SHA256 f28065d36192b6614254734628968436c1d89747190f400c3e672c31bd051578
SHA512 41d31ca9dd3dfb1f9960965e58678f578e4db1c5191523e686286f731c441b6929782f9b63c009e2b8dc545b0e61d7fb61c36ded573f3f0e77be501150293d95

memory/596-135-0x0000000000400000-0x000000000042F000-memory.dmp

memory/596-138-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 804863dfff2938bbfc77af1b029fb941
SHA1 483411ff35a1513cb0e3beedca4d79c362d15375
SHA256 08c2134d947eb73e06f4b2cd60441e1b93bc136ec178fe5aeee43511d045bed4
SHA512 b962b7b29589c4feb9458a36b0e035f40e07a2635ecba9f8a9d4e1b42853ab6161e8c65a3a196a6f1d64884572a8e3b1d9e9bbffc409acf6ac690697ab9bc7bf

memory/804-146-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1100-149-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 81bbad7845bd1c1d3fff0172fc3785d8
SHA1 2a0f419ca218517d8bb3625419d867d61408932b
SHA256 a7e502e7567b92375e4c2ddd4f38468cf778d3e19963646f2a41ac92e1963a99
SHA512 237713afa574bc22558934d43c95c2826bfe0ee6d6f1c00a56131a2dccd11047218de3c4ffc46d4bbc7cfaa72d00f5cfe1988882acaa43914b383dc5f66f7f00

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 8c3265d825e5e95ae0f0b7057c727e25
SHA1 058ce81182f0889dbf44eecfb9694867549314e3
SHA256 22c0da378e488d51a6923cf0bb1b9bce17087a5b9178d9119056d2cadd117eea
SHA512 a211eae47e033767b864bd016e2f17d90f7599a3dfbb82f6f1907dc48e25bf8413471259abe77686ba6b747dd25abe8cda12922e7fec095723a852c12041aeeb

memory/604-168-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2448-167-0x0000000000400000-0x000000000042F000-memory.dmp

memory/604-172-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 d197dea8941ca6f8bffbd42f19cf015a
SHA1 6cb1c738e83d337123f27d7006db3aa35ac72adc
SHA256 7aab2c94d5bf3ecb9e377db728ba9782ea0267439e02f7d70b381b1a797b83b4
SHA512 698268dc05a6272a76d486c642cb976bbebf3aed9e03b9d2927cc5599dce7ada55069bbd5ed98cf4ea6f34b1d3ff698184b8ab11a9de12ee89e91f00c455e804

memory/804-185-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1264-184-0x0000000000400000-0x000000000042F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 15:04

Reported

2024-11-07 15:06

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\xk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Windows\xk.exe
PID 2172 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Windows\xk.exe
PID 2172 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Windows\xk.exe
PID 2172 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2172 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2172 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2172 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2172 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2172 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2172 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2172 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2172 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2172 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2172 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2172 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2172 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2172 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2172 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2172 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2172 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2172 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe

"C:\Users\Admin\AppData\Local\Temp\ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47fN.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2172-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 07f35139b8c124c730d8c073b7b9cfc0
SHA1 1bda918d117b2e20ff9543c03a4abaeb799119fa
SHA256 ef7031b83716a98591da92f00dac92464093c75e111fee49cd26804ff593c47f
SHA512 ee478bbcf7273843d31cc5e77df4612edf12d2dfcc3a19e08e27ed38fa63b004df23265cbc9644bdd1bb3f23fb894b4fc366b25e8afe9fc9b40c50fdc382488f

C:\Windows\xk.exe

MD5 287a690b831ad3a09eb5bacc8e82fc70
SHA1 a29984d6258859e7ac9f826505d1292cb12d4b72
SHA256 e6168dd5ac5db9bbd14d842f7058deb7bed56c1215d4d73a2ab4ca3f47b4c68c
SHA512 92515b42263bca1187645bafe27fa779763d25d670ce6dca6bc430af5b67a4b94ce14a91ca27d86b0fe9433d460e2f8e7e484c71c8da50457237b5e27fa9fb27

C:\Windows\SysWOW64\IExplorer.exe

MD5 ca16bc883246f56484365df251136eb8
SHA1 67595e01395731f4ab6c5df44e888d686dc1fa94
SHA256 84bd429915f459b8d680cc5784d07255d7de6d48fb0d42d529a8df7adb79a6c8
SHA512 2328388319befa430dd4f14b68d14370a033085dab9553c903fd18f0910f9b8fda26fb51226f933ced74a176452ff910150bea0035b14592a4e909b4b71553ff

memory/4032-112-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1656-117-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 78a55e33e9b70dc1a49db07d2cd7f122
SHA1 10bc6aa48ef11ab2a3080bf289568ab3a284e71b
SHA256 5d02df8de8ae5248443a136a994c1f9e17769d7572f59f8d87a93e6028132c8b
SHA512 da05cf175dbe14c2aba58b3f5deb38f2acbc1ccebe0aae5461e0d414b4e5055b25a7da0eac4232e980011c65575979a2b6c229cede430650fff525599d253fc7

memory/3368-124-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 160020ded8997323f1c29c67457927cb
SHA1 153dbf6a07ede74140e700e4b2a6a5d8dc72813d
SHA256 1bffde0e07ae435974db0a9b95bb971acd94a773e9b5907de917a03851317c70
SHA512 f303a00d703c11f07f34bd7436c080a2a2ad1f82b89bd5a5b01e1c8631fbcd0c59f20526d559103c0d04524621e40d48b5197b2d32e33ee1a1617bfcc5e17490

memory/2260-132-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 9eb3af4ac8607b60cee12e0bb0e48b89
SHA1 7e60a3639b0efe29c0ba3a208ee4b423aa47bea8
SHA256 9eb6f3ab1e64e55f6495308115ea1ba69bf43ea170a0a99d59f32d7b19d64223
SHA512 4ae423eaa21e12c285c83e058cbb9e1f0615a539b694e0f48c02e420a4e1b3d823c7cb69fcd5201f25cadfa26db971dc8e28db15edc21f0fa7bb064860e7f313

memory/4692-138-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

MD5 1989c93a9cfe5e130eb2bd0506f3e75c
SHA1 c13ebfa7db822a2f60f1095acfcef9b614a3c4b7
SHA256 6e3e2c9c9993c3a0eeceebe2109e7f0d95479fca88116c89075aa4879eaf71a8
SHA512 fb2a9da71b77fcd09e1318874c6a7bfff079c7902355b557ff4af08dbac9934ef7c09988907d9e1a22f79a8ef00df74387c6074c04eb49893950949592cc7300

memory/4888-142-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4888-146-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

MD5 4bd71fe0af33f8f1760228c1b5599253
SHA1 d8635c76f654e3174555fe5f2808b8d9026a062f
SHA256 f0c76d6443cd102136bf6f305d62735ec229e51075dc2aed3f917353d9eb31bb
SHA512 8b692a67b82873c64ccf55f06d982eda26fe4d142d65305e44e21c5f5bbb6af1b05f1449a1c41be96127210d7c4abbc6b1572b10bf26434bbc151e95d2e165f2

memory/3360-153-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2172-154-0x0000000000400000-0x000000000042F000-memory.dmp