Malware Analysis Report

2024-12-07 16:23

Sample ID 241113-277qlavjgj
Target d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe
SHA256 d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66
Tags
defense_evasion discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66

Threat Level: Known bad

The file d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion persistence

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Adds Run key to start application

Modifies WinLogon

Drops file in System32 directory

Hide Artifacts: Hidden Files and Directories

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Modifies Internet Explorer start page

System policy modification

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 23:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 23:14

Reported

2024-11-13 23:15

Platform

win7-20240903-en

Max time kernel

38s

Max time network

39s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Disables Task Manager via registry modification

evasion

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsys = "C:\\Windows\\system32\\winsock.exe /wininit" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\system32\\winkernel32.exe /system" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Micromerde Windobe Xnaze" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Vous utilisez Super Winmerde" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LogonPrompt = "Entre ton passss !" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Welcome = "Salut pti blairo !" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\winsock.exe C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
File opened for modification C:\Windows\SysWOW64\winsock.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\SysWOW64\winkernel32.exe C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
File opened for modification C:\Windows\SysWOW64\winkernel32.exe C:\Windows\SysWOW64\attrib.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Vive Les Marmottes qui chantent !" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.webfmdr.com/B/" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 2996 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2996 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2996 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2996 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2104 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 484 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 484 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 484 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 484 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2104 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2744 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2744 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2744 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoColorChoice = "1" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoSizeChoice = "1" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe

"C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Windows\system32\winsock.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Windows\system32\winsock.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Windows\system32\winkernel32.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Windows\system32\winkernel32.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown -r

C:\Windows\SysWOW64\shutdown.exe

shutdown -r

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

C:\Windows\SysWOW64\winsock.exe

MD5 3f86933a4fc923b45de8a7311da145fa
SHA1 e14236262e229e762f11249badf4779d2026beb1
SHA256 a43c3d0f7a910675471e6e4d71752aea0e4f45fe32536946b046c2582dbde177
SHA512 07743f0b0f51ce6bd6ab5f583d18ce852bab351701292235cc88cfb17a20660d509d73a6237f6701f20d221c02694af357e8fa60553300bf2482b161abf7faf3

memory/2104-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2728-8-0x0000000002D90000-0x0000000002D91000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 23:14

Reported

2024-11-13 23:15

Platform

win10v2004-20241007-en

Max time kernel

40s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Disables Task Manager via registry modification

evasion

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsys = "C:\\Windows\\system32\\winsock.exe /wininit" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\system32\\winkernel32.exe /system" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Micromerde Windobe Xnaze" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Vous utilisez Super Winmerde" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LogonPrompt = "Entre ton passss !" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Welcome = "Salut pti blairo !" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\winsock.exe C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
File opened for modification C:\Windows\SysWOW64\winsock.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\SysWOW64\winkernel32.exe C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
File opened for modification C:\Windows\SysWOW64\winkernel32.exe C:\Windows\SysWOW64\attrib.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Vive Les Marmottes qui chantent !" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.webfmdr.com/B/" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "46" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4812 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 824 wrote to memory of 3324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 824 wrote to memory of 3324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 824 wrote to memory of 3324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4812 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3348 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3348 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4812 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2904 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2904 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoColorChoice = "1" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoSizeChoice = "1" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe

"C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Windows\system32\winsock.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Windows\system32\winsock.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Windows\system32\winkernel32.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Windows\system32\winkernel32.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown -r

C:\Windows\SysWOW64\shutdown.exe

shutdown -r

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39b6055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

C:\Windows\SysWOW64\winsock.exe

MD5 6a8be40d1d632fac2da24390bc95fe8e
SHA1 0b284bfd0a947857185010106e160be1f2a87201
SHA256 0e4aa8f3fcf6a5462bb630b3fef7ac71bff1763c59c92a00ba0c65aa09b86e4d
SHA512 9f731fe8d16c8b4c69f2ca56f1d415ad9f62c90ec19b955c9d55bdc5bd7634c287ee6ecaef329d45e9eb4b5fcd512685959e26e350b00d72938b330ee05c1e8c

C:\Windows\SysWOW64\winkernel32.exe

MD5 9eb3e16309c198528791c61dcd349fd1
SHA1 30aa65537d7ea7a6b4ddb7043c8b38561171e2cd
SHA256 af8c5ec22174d9bae73c09e56c0d4d086a41d13be6027a2ef486f7539d946af1
SHA512 33649fcc83106ccbe486464e6cb01cde28305eb3b393670a49f2c29e952e0708bbfdffed67647dacd6d9a159f8577645992c15256527864664eadaae54517ff2

memory/4812-4-0x0000000000400000-0x0000000000409000-memory.dmp