Malware Analysis Report

2024-12-07 16:23

Sample ID 241113-2943gszqev
Target d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe
SHA256 d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66
Tags
defense_evasion discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66

Threat Level: Known bad

The file d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Adds Run key to start application

Modifies WinLogon

Drops file in System32 directory

Hide Artifacts: Hidden Files and Directories

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Modifies data under HKEY_USERS

Modifies Internet Explorer start page

Suspicious use of WriteProcessMemory

System policy modification

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 23:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 23:17

Reported

2024-11-13 23:18

Platform

win7-20240729-en

Max time kernel

38s

Max time network

39s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Disables Task Manager via registry modification

evasion

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsys = "C:\\Windows\\system32\\winsock.exe /wininit" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\system32\\winkernel32.exe /system" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Welcome = "Salut pti blairo !" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Micromerde Windobe Xnaze" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Vous utilisez Super Winmerde" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LogonPrompt = "Entre ton passss !" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\winsock.exe C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
File opened for modification C:\Windows\SysWOW64\winsock.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\SysWOW64\winkernel32.exe C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
File opened for modification C:\Windows\SysWOW64\winkernel32.exe C:\Windows\SysWOW64\attrib.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Vive Les Marmottes qui chantent !" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.webfmdr.com/B/" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 376 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 376 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 376 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 376 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1940 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1940 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1940 wrote to memory of 2380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 376 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 376 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 376 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 376 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2320 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2320 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2320 wrote to memory of 1972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 376 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 376 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 376 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 376 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2828 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2828 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2828 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoColorChoice = "1" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoSizeChoice = "1" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe

"C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Windows\system32\winsock.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Windows\system32\winsock.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Windows\system32\winkernel32.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Windows\system32\winkernel32.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown -r

C:\Windows\SysWOW64\shutdown.exe

shutdown -r

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

C:\Windows\SysWOW64\winsock.exe

MD5 479f64afcd86c5841e6a3a22e2097bee
SHA1 36bcaff09ad17aa03af8ebe7bef6f7adb1f8ba31
SHA256 103aa77390cafa268ed1d81ed745cabef1224c8700b9738d3fb04c6c920d4dba
SHA512 3be0b6842d4c9740be8adaa83f6a331e60c362c1aeece4ac24a8e8e1b6fe7b8d649900907fc361b7ef1e53f7bb65a169503d33143107eeb07910799ccc4ace17

memory/376-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2660-8-0x0000000002D90000-0x0000000002D91000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 23:17

Reported

2024-11-13 23:18

Platform

win10v2004-20241007-en

Max time kernel

41s

Max time network

43s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Disables Task Manager via registry modification

evasion

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsys = "C:\\Windows\\system32\\winsock.exe /wininit" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\system32\\winkernel32.exe /system" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LogonPrompt = "Entre ton passss !" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Welcome = "Salut pti blairo !" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Micromerde Windobe Xnaze" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Vous utilisez Super Winmerde" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\winkernel32.exe C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
File opened for modification C:\Windows\SysWOW64\winkernel32.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\SysWOW64\winsock.exe C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
File opened for modification C:\Windows\SysWOW64\winsock.exe C:\Windows\SysWOW64\attrib.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Vive Les Marmottes qui chantent !" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.webfmdr.com/B/" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "234" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1316 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 3648 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3648 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3648 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1316 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 3952 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 3952 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3952 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3952 wrote to memory of 1292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1316 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe C:\Windows\SysWOW64\cmd.exe
PID 4104 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 4104 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 4104 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoColorChoice = "1" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoSizeChoice = "1" C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe

"C:\Users\Admin\AppData\Local\Temp\d1596da4a14304a6cc285bd38e4445549c33758ff11af59f494bdbd095373b66.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Windows\system32\winsock.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Windows\system32\winsock.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Windows\system32\winkernel32.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Windows\system32\winkernel32.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown -r

C:\Windows\SysWOW64\shutdown.exe

shutdown -r

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3938855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 20.189.173.9:443 tcp
US 8.8.8.8:53 udp

Files

C:\Windows\SysWOW64\winsock.exe

MD5 98028569ec089153436c0bf76612ad96
SHA1 b7d0c8b33cac26a17abd7125ee304f6257b9d698
SHA256 647a8ea7dcc1b2e90f5177e0318f70df5a9e33e2a4990f19692659738d595fbb
SHA512 389ff38ea7357bb5f2b87c05fc48b3a2f136ff4bcd93e13fcb926fc960950ec829478e42855c3ca243ff8b332996472b1615da8cb3a1c52fda6fcb4d6ab77105

memory/1316-4-0x0000000000400000-0x0000000000409000-memory.dmp