Overview

overview

10

Static

static

8

99cd30e5e4...88.exe

windows7_x64

10

99cd30e5e4...88.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    1690s
  • max time network
    1602s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-07-2022 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    99cd30e5e45b85b12ac72c685b0c2937cd9b8edb71d7f359a6829353be77a288.exe

  • Size

    336KB

  • MD5

    76e0568cd550d31fe8f8974b69918a72

  • SHA1

    1b9dc5b41bddce2db51c9951ebc9efc211178358

  • SHA256

    99cd30e5e45b85b12ac72c685b0c2937cd9b8edb71d7f359a6829353be77a288

  • SHA512

    26d13b91bbb14e537a9f216973b21e28facdce6fb03184fa4a6c2343acc86eecab820513772d1e31c0bb8de79b3744edd67cd8919d5947f1f4ee8463cc157ce8

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 14 IoCs
  • UPX packed file 38 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\99cd30e5e45b85b12ac72c685b0c2937cd9b8edb71d7f359a6829353be77a288.exe
    "C:\Users\Admin\AppData\Local\Temp\99cd30e5e45b85b12ac72c685b0c2937cd9b8edb71d7f359a6829353be77a288.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies system executable filetype association
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3484
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1624
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4200
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3360
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4360
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1596
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3232
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4884
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4400
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4248
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4012
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1964
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2076
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1104
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Change Default File Association

1
T1042

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

6
T1112

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    336KB

    MD5

    00c5da328a34940ee06f0693ef11c892

    SHA1

    4af9c8056edfe4df1736d0f5cadcdedc45791e49

    SHA256

    3e7fef18836383515dbcad5c19f1ffe9eaf5dc5062d06e65877f8a8ae4bcddf7

    SHA512

    078d2e803aae83d47c331464bd4c50b81b5d047f757eaa4e155c3fe1ba1b3ff89eb21fed018ea077d1d1067dcd901a3372ce5ebcc579e66791c64d5222a0cb50

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    336KB

    MD5

    508f2e69f7120c8cda3fb90cee296db6

    SHA1

    719715a34421ea9b98b978657d94f02d58308f5c

    SHA256

    f3833d2d06ab5de361e8d12347132245ab0ce56208619e6eab206bbdf8e7797a

    SHA512

    f4bacb15d49cb90cf6d203b7742e47f27e5cba1f98b938580d737d5babbc30d87f42cac2de2a0b87d98fe58e6e1c2021f716d71256ae37a8e362989899ec4b73

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    336KB

    MD5

    b76c5c7bd9a105b67c974275af66477d

    SHA1

    53bc35314f086f19e6131b5c9fa00b79d6f06278

    SHA256

    0785f06118197a82ade1094c9581a32d4647ebd44a470263b313a61efdc6e38b

    SHA512

    ee4e5d720196b5d0a5f9f389a037c4848270b9c19ceb52678ffa7b05440c3be50c56de1fe06f66f8016d1cc390747beb817908bb6029d8a9e5251509592fb0b5

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    336KB

    MD5

    b76c5c7bd9a105b67c974275af66477d

    SHA1

    53bc35314f086f19e6131b5c9fa00b79d6f06278

    SHA256

    0785f06118197a82ade1094c9581a32d4647ebd44a470263b313a61efdc6e38b

    SHA512

    ee4e5d720196b5d0a5f9f389a037c4848270b9c19ceb52678ffa7b05440c3be50c56de1fe06f66f8016d1cc390747beb817908bb6029d8a9e5251509592fb0b5

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    336KB

    MD5

    cf804c6b179c8c4c7a8af046e94f47c5

    SHA1

    81186eba7a8ff69cc0782e47dfd0d46cc8aecb3e

    SHA256

    b25b8edca6e91971c846f10ae119208c3bfcdf559091025b9c655210a5a96018

    SHA512

    b88d67c79913c0e9f83e86b87504779de067b027b03dfef6a94a98e8ddd05b29921544a42f4f28f2eeb3c5492173c8d951b61420da8fbda454c91a94e183ad47

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    336KB

    MD5

    d0741143ed0af128965488da1950d155

    SHA1

    6fd4dbe24947fea5207066cdaccca8b73490ac72

    SHA256

    f51f3ddb7c1695e28b98007e0e45e7b5ad4c5691d5574460659f851dd0706e3e

    SHA512

    a3e30835330223f271291cbd5c1524c5f0494dd89f58a784041467056fdb358f764697db4430c35145a11596dfa4fb46c68bf5c2325286b620b2817db9b7add9

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    336KB

    MD5

    74aa3fe48ca621eab1dfebf6e268d783

    SHA1

    5f0849892bd71cc63ae42322fa7930ee99c74f95

    SHA256

    9e661853b73e81c761b5b42ffa5b62e11371c45d07d23a80862813887345c640

    SHA512

    5596ca0b7fe99d16d48690861d00f4ed3ebf18de8f2ea4ecf67e31d519994d67ee301e03c241ed58b78501ab271fbbf6ccb54b4f244d6f420a7d7349235e2121

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    336KB

    MD5

    74aa3fe48ca621eab1dfebf6e268d783

    SHA1

    5f0849892bd71cc63ae42322fa7930ee99c74f95

    SHA256

    9e661853b73e81c761b5b42ffa5b62e11371c45d07d23a80862813887345c640

    SHA512

    5596ca0b7fe99d16d48690861d00f4ed3ebf18de8f2ea4ecf67e31d519994d67ee301e03c241ed58b78501ab271fbbf6ccb54b4f244d6f420a7d7349235e2121

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    336KB

    MD5

    4e23b0ec60495a9f4e6f336e8615e7ba

    SHA1

    851048def50a8ed06db1e3455513cec3b44cedff

    SHA256

    2ba4f93f71e9f5e228bb0604b16f9c7c1f390c4a579a86698b6805ac0fa252e5

    SHA512

    594b17f00390d2e27d1f1d47afb179f785be3379cee1d12cf761dd665993098f1f90e222ab1bc84702dd1733db3d669d2669cf16fab14c347afeb9a15401c597

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    336KB

    MD5

    a59f968506b9d78807ec200404acd989

    SHA1

    7d4d08b8ad41e1bb175635cc4a9eeeafd7b9eeee

    SHA256

    caea2eb9dcd7c2a5e2133df2e167ae5600c90ea2c42dc0fa1eb195e4ff2d706d

    SHA512

    6639c6f6d1d0a2d6dadb06af45c1562e247eb82ca29a41816b64dc29c0d307f908bc356de58998606614f573d0aae3d5e8694f89172cc7cd151e5fa6482c3056

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    Filesize

    336KB

    MD5

    00c5da328a34940ee06f0693ef11c892

    SHA1

    4af9c8056edfe4df1736d0f5cadcdedc45791e49

    SHA256

    3e7fef18836383515dbcad5c19f1ffe9eaf5dc5062d06e65877f8a8ae4bcddf7

    SHA512

    078d2e803aae83d47c331464bd4c50b81b5d047f757eaa4e155c3fe1ba1b3ff89eb21fed018ea077d1d1067dcd901a3372ce5ebcc579e66791c64d5222a0cb50

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    Filesize

    336KB

    MD5

    b76c5c7bd9a105b67c974275af66477d

    SHA1

    53bc35314f086f19e6131b5c9fa00b79d6f06278

    SHA256

    0785f06118197a82ade1094c9581a32d4647ebd44a470263b313a61efdc6e38b

    SHA512

    ee4e5d720196b5d0a5f9f389a037c4848270b9c19ceb52678ffa7b05440c3be50c56de1fe06f66f8016d1cc390747beb817908bb6029d8a9e5251509592fb0b5

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    Filesize

    336KB

    MD5

    cf804c6b179c8c4c7a8af046e94f47c5

    SHA1

    81186eba7a8ff69cc0782e47dfd0d46cc8aecb3e

    SHA256

    b25b8edca6e91971c846f10ae119208c3bfcdf559091025b9c655210a5a96018

    SHA512

    b88d67c79913c0e9f83e86b87504779de067b027b03dfef6a94a98e8ddd05b29921544a42f4f28f2eeb3c5492173c8d951b61420da8fbda454c91a94e183ad47

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    Filesize

    336KB

    MD5

    74aa3fe48ca621eab1dfebf6e268d783

    SHA1

    5f0849892bd71cc63ae42322fa7930ee99c74f95

    SHA256

    9e661853b73e81c761b5b42ffa5b62e11371c45d07d23a80862813887345c640

    SHA512

    5596ca0b7fe99d16d48690861d00f4ed3ebf18de8f2ea4ecf67e31d519994d67ee301e03c241ed58b78501ab271fbbf6ccb54b4f244d6f420a7d7349235e2121

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    Filesize

    336KB

    MD5

    4e23b0ec60495a9f4e6f336e8615e7ba

    SHA1

    851048def50a8ed06db1e3455513cec3b44cedff

    SHA256

    2ba4f93f71e9f5e228bb0604b16f9c7c1f390c4a579a86698b6805ac0fa252e5

    SHA512

    594b17f00390d2e27d1f1d47afb179f785be3379cee1d12cf761dd665993098f1f90e222ab1bc84702dd1733db3d669d2669cf16fab14c347afeb9a15401c597

    Download Submit
  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    336KB

    MD5

    5ed8bee35f33ccb6091ec1c9e43b72e8

    SHA1

    d1c947696beea81bbd30fecf2e223ca400dfe7fc

    SHA256

    09e2ac2d383e575637f42202e2007a37e4bb772ea967d667d458b29ac728c264

    SHA512

    95cbf64572dca9fd5220e47e2f4636c7f5ab235a8832ee514a24779a9582a4094d4d1bae2bb1c98e333a540e20071e7194eb08fdd11fa1c87ff2c4f66637a322

    Download Submit
  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    336KB

    MD5

    5ed8bee35f33ccb6091ec1c9e43b72e8

    SHA1

    d1c947696beea81bbd30fecf2e223ca400dfe7fc

    SHA256

    09e2ac2d383e575637f42202e2007a37e4bb772ea967d667d458b29ac728c264

    SHA512

    95cbf64572dca9fd5220e47e2f4636c7f5ab235a8832ee514a24779a9582a4094d4d1bae2bb1c98e333a540e20071e7194eb08fdd11fa1c87ff2c4f66637a322

    Download Submit
  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    336KB

    MD5

    bc8f228e33f146af01f38c793ef4f903

    SHA1

    cbdaa9429cb97ac4baabcd387f022346ac3f0c18

    SHA256

    94d364d3472d50d229177b50d69da4de143ae6d8fd5939cb2fac02798ff0709c

    SHA512

    e97093eb6c6559816bd3367e734189cd73467ba4523af21dd02e35617615007cf211d2cd336395fcb126b06042365be34653efb62cd42d7a6d502b8caaa157c8

    Download Submit
  • C:\Windows\xk.exe
    Filesize

    336KB

    MD5

    d1fcb1a87b21b68cfc9b8713f5c45c15

    SHA1

    25ee2dc92ef9817d8597138644b2939822fb38e2

    SHA256

    fcb22b25463c90a21960ba2f4187b6d05ca409a13f3cbeb5822afc5e99c2111c

    SHA512

    9405a6c9f4180eee6663a004ff71d10e91f72e52b9972ae78e0910e710bc23bb330b066d168af89ebc11f18d471e94250d894e75ccebe419c1f4e82b7a7f3923

    Download Submit
  • C:\Windows\xk.exe
    Filesize

    336KB

    MD5

    d1fcb1a87b21b68cfc9b8713f5c45c15

    SHA1

    25ee2dc92ef9817d8597138644b2939822fb38e2

    SHA256

    fcb22b25463c90a21960ba2f4187b6d05ca409a13f3cbeb5822afc5e99c2111c

    SHA512

    9405a6c9f4180eee6663a004ff71d10e91f72e52b9972ae78e0910e710bc23bb330b066d168af89ebc11f18d471e94250d894e75ccebe419c1f4e82b7a7f3923

    Download Submit
  • C:\Windows\xk.exe
    Filesize

    336KB

    MD5

    13c8bb0cb1193e71c51047c2d214a9f2

    SHA1

    0c7f1b6c799216843df7c3a82ae01fb842e11ed8

    SHA256

    ff0a44e471cecb26c93be3312b327d11e0d0667b778f138e493ae9b32050fc84

    SHA512

    222c9332107f70fc0b39ad9dddf069a82a23bb75aeee98670b7875a0900c5e3bef249bd0d974fd1ad688f6deedb822a09962504bdf563292592a072de1dc08ef

    Download Submit
  • memory/1104-201-0x0000000000000000-mapping.dmp
    Download
  • memory/1104-206-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1596-157-0x0000000000000000-mapping.dmp
    Download
  • memory/1596-162-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1624-133-0x0000000000000000-mapping.dmp
    Download
  • memory/1624-138-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1964-193-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1964-187-0x0000000000000000-mapping.dmp
    Download
  • memory/2076-194-0x0000000000000000-mapping.dmp
    Download
  • memory/2076-199-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/3232-168-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/3232-163-0x0000000000000000-mapping.dmp
    Download
  • memory/3360-150-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/3360-145-0x0000000000000000-mapping.dmp
    Download
  • memory/3484-200-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/3484-211-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/3484-132-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4012-188-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4012-183-0x0000000000000000-mapping.dmp
    Download
  • memory/4200-139-0x0000000000000000-mapping.dmp
    Download
  • memory/4200-144-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4248-178-0x0000000000000000-mapping.dmp
    Download
  • memory/4248-182-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4360-151-0x0000000000000000-mapping.dmp
    Download
  • memory/4360-156-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4400-173-0x0000000000000000-mapping.dmp
    Download
  • memory/4400-177-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4700-205-0x0000000000000000-mapping.dmp
    Download
  • memory/4700-210-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4884-167-0x0000000000000000-mapping.dmp
    Download
  • memory/4884-172-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download