3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Size

90KB
MD5

bc81382662fdb3a0a785f26c8fff9b10
SHA1

2d004acc6168ef54a4c027dd629d5195f383ac3b
SHA256

3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0
SHA512

e2c3018c6ce7cbf9609d5584e6c5237256473c48db3fe6a2bfcf0c7d32476fa781598f1d427128b2aa2fb84da9939a7f4e92b1e168c760395cf48c8fbbfb481e
SSDEEP

1536:XRsjdLaslqdBXvTUL0Hnouy8VjVRsjdLaslqdBXvTUL0Hnouy8Vj:XOJKqsout9VOJKqsout9

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 7 IoCs

pid	Process
2656	xk.exe
2520	IExplorer.exe
2552	WINLOGON.EXE
2568	CSRSS.EXE
3000	SERVICES.EXE
1224	LSASS.EXE
1472	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IExplorer.exe	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
File created	C:\Windows\SysWOW64\shell.exe	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
File created	C:\Windows\SysWOW64\Mig2.scr	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1860-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0009000000016b86-8.dat	upx
behavioral1/files/0x0007000000016d22-109.dat	upx
behavioral1/memory/1860-108-0x0000000002700000-0x000000000272F000-memory.dmp	upx
behavioral1/files/0x0005000000018697-113.dat	upx
behavioral1/memory/2656-112-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2520-122-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001870c-123.dat	upx
behavioral1/memory/2552-135-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1860-137-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001871c-134.dat	upx
behavioral1/memory/2552-133-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2568-145-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000018745-146.dat	upx
behavioral1/memory/3000-153-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/3000-157-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000018be7-158.dat	upx
behavioral1/memory/1224-167-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000018d7b-168.dat	upx
behavioral1/memory/1472-179-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1860-180-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
File created	C:\Windows\xk.exe	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
2656	xk.exe
2520	IExplorer.exe
2552	WINLOGON.EXE
2568	CSRSS.EXE
3000	SERVICES.EXE
1224	LSASS.EXE
1472	SMSS.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2656	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	28
PID 1860 wrote to memory of 2656	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	28
PID 1860 wrote to memory of 2656	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	28
PID 1860 wrote to memory of 2656	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	28
PID 1860 wrote to memory of 2520	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	29
PID 1860 wrote to memory of 2520	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	29
PID 1860 wrote to memory of 2520	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	29
PID 1860 wrote to memory of 2520	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	29
PID 1860 wrote to memory of 2552	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	30
PID 1860 wrote to memory of 2552	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	30
PID 1860 wrote to memory of 2552	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	30
PID 1860 wrote to memory of 2552	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	30
PID 1860 wrote to memory of 2568	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	31
PID 1860 wrote to memory of 2568	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	31
PID 1860 wrote to memory of 2568	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	31
PID 1860 wrote to memory of 2568	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	31
PID 1860 wrote to memory of 3000	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	32
PID 1860 wrote to memory of 3000	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	32
PID 1860 wrote to memory of 3000	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	32
PID 1860 wrote to memory of 3000	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	32
PID 1860 wrote to memory of 1224	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	33
PID 1860 wrote to memory of 1224	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	33
PID 1860 wrote to memory of 1224	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	33
PID 1860 wrote to memory of 1224	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	33
PID 1860 wrote to memory of 1472	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	34
PID 1860 wrote to memory of 1472	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	34
PID 1860 wrote to memory of 1472	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	34
PID 1860 wrote to memory of 1472	1860	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe

C:\Users\Admin\AppData\Local\Temp\3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe
"C:\Users\Admin\AppData\Local\Temp\3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1860
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2656
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2520
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2552
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2568
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3000
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1224
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\services.exe

Filesize
90KB

MD5
bc81382662fdb3a0a785f26c8fff9b10

SHA1
2d004acc6168ef54a4c027dd629d5195f383ac3b

SHA256
3a29a6ce8691f63227ccd3ef88c5335469239f61563e3ce125cd3d3ad07badd0

SHA512
e2c3018c6ce7cbf9609d5584e6c5237256473c48db3fe6a2bfcf0c7d32476fa781598f1d427128b2aa2fb84da9939a7f4e92b1e168c760395cf48c8fbbfb481e

Download Submit
C:\Windows\xk.exe

Filesize
90KB

MD5
d5619cab0ecf3848e80bf7e742c21020

SHA1
42740edb551f1762bd2299bd8220763880d40622

SHA256
f9adf4b74369e0fe559e5b83299df6b958b1460e42f96483882b22112e2b96a8

SHA512
105b12fadf0aeb5a6731354e6fa336ba7d84efd3dd5155a0432c3f1569c4813d8ed374b0e0797131038ddba84d750625ab14cc2bebe4af8170e7699e4a6be0d2

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
90KB

MD5
3c6ad4ddacea15a93c09f9bb363759fb

SHA1
2fda143601a1ce677d132fbbc90718c9af05e027

SHA256
dd7df027ff3d5af050620028e4b37644959babbf3333f7f946a712c64978dd31

SHA512
e7fe19fc1d07890ad60e06fe355093c985966bfa56fa93474fa4f978bff56b16bd66dca558132bdb968b28d9ada37ba91f1a948de629a9032c84a7c41ed0282d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
90KB

MD5
ef84bb787438285e903d9563b80eb81d

SHA1
aff37504f4b3fcdbe92100490d5a9d820c3dc771

SHA256
1f426e4a0b4934c3e56f254115190cc3950bc7e825ad0bb1802695d460550bd3

SHA512
03bf2fca0aa3feaa88a6d4db34c8c4f9f7ff1eb3e26db293603bd859fa7cb7c57f779e81d088ffad4a61fe2fb71002e928576bc1b305f312503c3c962a3c4ddd

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
90KB

MD5
0a3319eb852a5edb1679b1b914206d77

SHA1
4ee4574ce098cf3d3057316b14ad44754a528b03

SHA256
66836d27b81eea3a20382a71769fe7d7e38827570ccd1d0d0f14e0d2f24ae5fb

SHA512
7fa630b6559c422d5a198c93de26423ba1b566c4ee88c29c4eabdd656efb477077f3d5607bc3c85caa9974d8a5361855b53a4a4de281515e1265a3690139e4f4

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
90KB

MD5
8ef30386ac85d8c20d3cb11ca14570a6

SHA1
2f91ab6f6837a177bf2817baf905178e3041d4fe

SHA256
f2dd6c0ee3b0d29b29fd998d7443c2705a0071f5b409124a927b27d183506839

SHA512
0ec8ef77f6110a8bda5416c0e1e39d072b2efd902108bbb2c5ed0ba24e2b14a0731d1b0ffe09495cb9e3ad0e51a2c8464d9b02f024524e97ad076f68b38f7335

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
90KB

MD5
9e4471893ab9c10f1abd86b4db9466d9

SHA1
d29f67f0c5c7827deedd50ea248b380bca199b6a

SHA256
4e173ad179f6e8ed164abb9edcdc347c0db7af43c1acc75e9811155fdd10a101

SHA512
72ef66b174a0f85b14262a18ab7396a9daa41befdab7cc430938e095202a356871c6ffb4a0d7b9a70348f07584b77734ab1d3baee081697ed7ced8ec409847a5

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
90KB

MD5
c7ebae3d20d7498d35ef65277ec13265

SHA1
69ebd73a17193cd6e7232b0b5191fc668342c156

SHA256
3826fc11eb7b8f8cafd0b55c4be21da1e47d2d980ebd1bb34276a9e08637b70a

SHA512
ab5eb8e86bca7f5f0516acc1089c45fe03a118714a9c16174bfea0b6df43e751a25258a69d1347bb48be21c618e655e4f19bd00d100571de911735adf2cdbcdf

Download Submit
memory/1224-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1472-179-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-129-0x0000000002700000-0x000000000272F000-memory.dmp

Filesize
188KB

Download
memory/1860-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-108-0x0000000002700000-0x000000000272F000-memory.dmp

Filesize
188KB

Download
memory/2520-122-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2552-133-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2552-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2656-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3000-157-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3000-153-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download