Malware Analysis Report

2024-12-07 16:52

Sample ID 241113-hh3wkaxelk
Target aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe
SHA256 aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2
Tags
defense_evasion discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2

Threat Level: Known bad

The file aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Adds Run key to start application

Modifies WinLogon

Drops file in System32 directory

Hide Artifacts: Hidden Files and Directories

Unsigned PE

System Location Discovery: System Language Discovery

Modifies Internet Explorer start page

System policy modification

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 06:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 06:45

Reported

2024-11-13 06:45

Platform

win7-20240903-en

Max time kernel

38s

Max time network

39s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A

Disables Task Manager via registry modification

evasion

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsys = "C:\\Windows\\system32\\winsock.exe /wininit" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\system32\\winkernel32.exe /system" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LogonPrompt = "Entre ton passss !" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Welcome = "Salut pti blairo !" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Micromerde Windobe Xnaze" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Vous utilisez Super Winmerde" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winkernel32.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\SysWOW64\winsock.exe C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
File opened for modification C:\Windows\SysWOW64\winsock.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\SysWOW64\winkernel32.exe C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Vive Les Marmottes qui chantent !" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.webfmdr.com/B/" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2232 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2232 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2232 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3048 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2744 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2744 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2744 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3048 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2136 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2136 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 2136 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoColorChoice = "1" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoSizeChoice = "1" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe

"C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Windows\system32\winsock.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Windows\system32\winsock.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Windows\system32\winkernel32.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Windows\system32\winkernel32.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown -r

C:\Windows\SysWOW64\shutdown.exe

shutdown -r

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

C:\Windows\SysWOW64\winsock.exe

MD5 b3d7e7d9ead4c90e82ff1db139622c2e
SHA1 2806ecc54254955d76f3ce09d70ed1115078c507
SHA256 f5adf5fcb8c494a20cbe04f1909273bc8067f61b793a7b186d37ea65a84711e5
SHA512 31f4dd19baee7ffd3b10296cca26610d79843abc4998e6b6245ba5f59368850074cb83d14a107c8de2b6742b844f99c24f965223cefe4592b66e98da14033b39

memory/3048-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1964-8-0x0000000002E10000-0x0000000002E11000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 06:45

Reported

2024-11-13 06:46

Platform

win10v2004-20241007-en

Max time kernel

44s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A

Disables Task Manager via registry modification

evasion

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\system32\\winkernel32.exe /system" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Winsys = "C:\\Windows\\system32\\winsock.exe /wininit" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LogonPrompt = "Entre ton passss !" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Welcome = "Salut pti blairo !" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Micromerde Windobe Xnaze" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Vous utilisez Super Winmerde" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\winsock.exe C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
File opened for modification C:\Windows\SysWOW64\winsock.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Windows\SysWOW64\winkernel32.exe C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
File opened for modification C:\Windows\SysWOW64\winkernel32.exe C:\Windows\SysWOW64\attrib.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Vive Les Marmottes qui chantent !" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.webfmdr.com/B/" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "194" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D} C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 652 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 4804 wrote to memory of 3420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4804 wrote to memory of 3420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4804 wrote to memory of 3420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 652 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3292 wrote to memory of 528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3292 wrote to memory of 528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 652 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 4364 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe
PID 4364 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\shutdown.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoColorChoice = "1" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoSizeChoice = "1" C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe

"C:\Users\Admin\AppData\Local\Temp\aa9a7552d2dc7d257186c7c4826009a3ac0e900c2099bed4d5c7f165de38f0b2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Windows\system32\winsock.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Windows\system32\winsock.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Windows\system32\winkernel32.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Windows\system32\winkernel32.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown -r

C:\Windows\SysWOW64\shutdown.exe

shutdown -r

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa38c9055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

C:\Windows\SysWOW64\winsock.exe

MD5 b3d7e7d9ead4c90e82ff1db139622c2e
SHA1 2806ecc54254955d76f3ce09d70ed1115078c507
SHA256 f5adf5fcb8c494a20cbe04f1909273bc8067f61b793a7b186d37ea65a84711e5
SHA512 31f4dd19baee7ffd3b10296cca26610d79843abc4998e6b6245ba5f59368850074cb83d14a107c8de2b6742b844f99c24f965223cefe4592b66e98da14033b39

memory/652-4-0x0000000000400000-0x0000000000409000-memory.dmp