Analysis
-
max time kernel
1614s -
max time network
1593s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 03:53
General
-
Target
3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
-
Size
196KB
-
MD5
993ee279bc338255e79c3ab5a4a022db
-
SHA1
2004648b06f2633b9831eb71e24313bac3b3f5b2
-
SHA256
3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42
-
SHA512
b234176793a37162c0ac9d9234e29c8679f9bcb7776d690bf79c654300bdeeed2860b711116f263068f2cb8d4d764589c6d08e2b87329becb47ab36f993dc5a3
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies system executable filetype association 2 TTPs 13 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 14 IoCs
-
UPX packed file 40 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 6 IoCs
-
Drops file in Windows directory 2 IoCs
-
Modifies Control Panel 4 IoCs
-
Modifies registry class 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 15 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe"C:\Users\Admin\AppData\Local\Temp\3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe"1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXEFilesize
196KB
MD537a148170486cceb17a63338face8c36
SHA1140b97700ff7ebf996ea3e4c5354efa96564cb9d
SHA256fa751a94a1737ce0dae2a357df4c0b617f7b56a0200c54ec015fd96cd4920a65
SHA512dae909ebab65661c0fbb09558caa318079534a49ade0fdf0bb40a40d3edd78beac787aa95d81fc7b2dc1560ead2fb5ae2f146ee282cca410c562705ebf642411
-
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXEFilesize
196KB
MD537a148170486cceb17a63338face8c36
SHA1140b97700ff7ebf996ea3e4c5354efa96564cb9d
SHA256fa751a94a1737ce0dae2a357df4c0b617f7b56a0200c54ec015fd96cd4920a65
SHA512dae909ebab65661c0fbb09558caa318079534a49ade0fdf0bb40a40d3edd78beac787aa95d81fc7b2dc1560ead2fb5ae2f146ee282cca410c562705ebf642411
-
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXEFilesize
196KB
MD591ac7778249d877d4febb29531e7f6f3
SHA1592b8c2bbb27b0fe7c7075b0abe7eeaf5a09d792
SHA256670690a532c95820d050d6e452438608507cb5c9c48211817221ae0d8cb68b40
SHA5125d495b96a8013ddb635d40b8fd0bf2e0fc9d03c845dca7380d38d17de459158682e8d2b87799ec2d975d3c14f8fdfbb17f1a83503569890a9816911d0eeb464f
-
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXEFilesize
196KB
MD591ac7778249d877d4febb29531e7f6f3
SHA1592b8c2bbb27b0fe7c7075b0abe7eeaf5a09d792
SHA256670690a532c95820d050d6e452438608507cb5c9c48211817221ae0d8cb68b40
SHA5125d495b96a8013ddb635d40b8fd0bf2e0fc9d03c845dca7380d38d17de459158682e8d2b87799ec2d975d3c14f8fdfbb17f1a83503569890a9816911d0eeb464f
-
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXEFilesize
196KB
MD55ca6b80443e80645aaebd44fdeb48654
SHA1d50425ae829ae488a8ebf6afd34e610c75a516ad
SHA2569e790843a571149b8935cd4bedcf8430586a6273bf4403bc64f1a88fcd90002d
SHA512039eeeed39478d7743d24de025cce5cde255697f003fda91df6ec039523401c18adf5099c9d4adf557e521dedca4f67f7494dbb93b550d23d8bdc5ff8d9d329f
-
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXEFilesize
196KB
MD55ca6b80443e80645aaebd44fdeb48654
SHA1d50425ae829ae488a8ebf6afd34e610c75a516ad
SHA2569e790843a571149b8935cd4bedcf8430586a6273bf4403bc64f1a88fcd90002d
SHA512039eeeed39478d7743d24de025cce5cde255697f003fda91df6ec039523401c18adf5099c9d4adf557e521dedca4f67f7494dbb93b550d23d8bdc5ff8d9d329f
-
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXEFilesize
196KB
MD567c2b914e0561de9ea1bef0efd24707f
SHA1074513238aeb045fa2c32d9fd9b8ffe1ee8200fb
SHA2566b05b8aa7ccc2c9c015e3d44bf1fe7364fa5c101910ce54505eef67df7db7153
SHA5120a56180fbaa961fcb81a797b964f0163c5e4eb3c5ffa9be933fea33252f713815a6a27724194843bf6f571ba13a3430daa362afc1f880f318ef461fe33b22eb7
-
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXEFilesize
196KB
MD567c2b914e0561de9ea1bef0efd24707f
SHA1074513238aeb045fa2c32d9fd9b8ffe1ee8200fb
SHA2566b05b8aa7ccc2c9c015e3d44bf1fe7364fa5c101910ce54505eef67df7db7153
SHA5120a56180fbaa961fcb81a797b964f0163c5e4eb3c5ffa9be933fea33252f713815a6a27724194843bf6f571ba13a3430daa362afc1f880f318ef461fe33b22eb7
-
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXEFilesize
196KB
MD56efda4249d4fffe636dc77d0c9df64f9
SHA12fc7a2318a4b8078848f03278417c62bed0c30d5
SHA25647cd17f6529aa2f39a4c7043ca8732b1e4cc153a1197195ad89acccac0f96734
SHA512efb9c0d43f3aa5eb710c29726e9b5caaf15f62e46241666fa48511662766aaea1b325f7a992d8305fbe80c0357d7a11cc5c6fe7afa7a8ae17fe6498139cf74ba
-
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXEFilesize
196KB
MD57fdba97df7536725e8074a5e5de96ada
SHA197706030e9ae646f43d9fc670c0dc60e4a4535a3
SHA2569b9efc5e464f239985a3dfa345f41995e0e44124a4c0c6277821fb6625024dc7
SHA5120dd7e3e7d7eb997ceb16b2b650969cd274ec967b122cd22b02bb6e86171e9ee34e7ce470129c4e18f53f22f678ff99b7159be4f55ad423cfac57887944ee27b4
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXEFilesize
196KB
MD537a148170486cceb17a63338face8c36
SHA1140b97700ff7ebf996ea3e4c5354efa96564cb9d
SHA256fa751a94a1737ce0dae2a357df4c0b617f7b56a0200c54ec015fd96cd4920a65
SHA512dae909ebab65661c0fbb09558caa318079534a49ade0fdf0bb40a40d3edd78beac787aa95d81fc7b2dc1560ead2fb5ae2f146ee282cca410c562705ebf642411
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXEFilesize
196KB
MD591ac7778249d877d4febb29531e7f6f3
SHA1592b8c2bbb27b0fe7c7075b0abe7eeaf5a09d792
SHA256670690a532c95820d050d6e452438608507cb5c9c48211817221ae0d8cb68b40
SHA5125d495b96a8013ddb635d40b8fd0bf2e0fc9d03c845dca7380d38d17de459158682e8d2b87799ec2d975d3c14f8fdfbb17f1a83503569890a9816911d0eeb464f
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXEFilesize
196KB
MD55ca6b80443e80645aaebd44fdeb48654
SHA1d50425ae829ae488a8ebf6afd34e610c75a516ad
SHA2569e790843a571149b8935cd4bedcf8430586a6273bf4403bc64f1a88fcd90002d
SHA512039eeeed39478d7743d24de025cce5cde255697f003fda91df6ec039523401c18adf5099c9d4adf557e521dedca4f67f7494dbb93b550d23d8bdc5ff8d9d329f
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXEFilesize
196KB
MD567c2b914e0561de9ea1bef0efd24707f
SHA1074513238aeb045fa2c32d9fd9b8ffe1ee8200fb
SHA2566b05b8aa7ccc2c9c015e3d44bf1fe7364fa5c101910ce54505eef67df7db7153
SHA5120a56180fbaa961fcb81a797b964f0163c5e4eb3c5ffa9be933fea33252f713815a6a27724194843bf6f571ba13a3430daa362afc1f880f318ef461fe33b22eb7
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXEFilesize
196KB
MD56efda4249d4fffe636dc77d0c9df64f9
SHA12fc7a2318a4b8078848f03278417c62bed0c30d5
SHA25647cd17f6529aa2f39a4c7043ca8732b1e4cc153a1197195ad89acccac0f96734
SHA512efb9c0d43f3aa5eb710c29726e9b5caaf15f62e46241666fa48511662766aaea1b325f7a992d8305fbe80c0357d7a11cc5c6fe7afa7a8ae17fe6498139cf74ba
-
C:\Windows\SysWOW64\IExplorer.exeFilesize
196KB
MD5505841ed73f6d33ad78a0f7e0b600d7e
SHA11aa701aca12be93ab3ea685033ccde1ad3da0047
SHA25656f489b0bc75a67dfd7f54c2eb1338d34d1ee9396b7e055a67e1db7be7b39d52
SHA512bd44ba3c05e3df97be92debcdedacb0f6c3e41f82f5f990ca4e374b522699fa6639d170b1960745d96e570c1f1e7c023e1d331ed9059dc0dc5487b3604a4f252
-
C:\Windows\SysWOW64\IExplorer.exeFilesize
196KB
MD5505841ed73f6d33ad78a0f7e0b600d7e
SHA11aa701aca12be93ab3ea685033ccde1ad3da0047
SHA25656f489b0bc75a67dfd7f54c2eb1338d34d1ee9396b7e055a67e1db7be7b39d52
SHA512bd44ba3c05e3df97be92debcdedacb0f6c3e41f82f5f990ca4e374b522699fa6639d170b1960745d96e570c1f1e7c023e1d331ed9059dc0dc5487b3604a4f252
-
C:\Windows\SysWOW64\IExplorer.exeFilesize
196KB
MD558e4830e26df461f4b1967449d3891ea
SHA11e45f2812a27975820513c4df5873cce05292482
SHA2563950426473a19b241a3e027047b9a8823a3f57a8885796a05b2c98dc0544f78c
SHA512b96c9134bea4b95ceff6f8fb25167b0e695447787ecf2b2bc15e794c7e0230a56704afa2d27769d54de58ada29e06d76b431ed14fba3c192fd0fa5da8b73462f
-
C:\Windows\xk.exeFilesize
196KB
MD5d785cc12c391b4fa756840f00670f658
SHA1ddc7521c958f1379256133f9ad1167ec7900db23
SHA25645e354f53d168498adabe68d6e878f2ef286ba203eaa67eb22dba64987d8ceb0
SHA512abdb2403c6a0bee032ee0cf2d4032ea30be4ae14195e67734af3e941cd5de1de53b46ffa1a1e61b78d5eec44777d3d18370a5245a0438d11495eb7e21fbd6bc9
-
C:\Windows\xk.exeFilesize
196KB
MD5d785cc12c391b4fa756840f00670f658
SHA1ddc7521c958f1379256133f9ad1167ec7900db23
SHA25645e354f53d168498adabe68d6e878f2ef286ba203eaa67eb22dba64987d8ceb0
SHA512abdb2403c6a0bee032ee0cf2d4032ea30be4ae14195e67734af3e941cd5de1de53b46ffa1a1e61b78d5eec44777d3d18370a5245a0438d11495eb7e21fbd6bc9
-
C:\Windows\xk.exeFilesize
196KB
MD555b70386a08e3d78d12f65e8fef532a0
SHA15d8368b224ce44c9a9099b358af8bfacafbd49a8
SHA256d2b8a4696dc2400bc83c32c2a82468d6b4aa03e8e7734a25d51631cd21817151
SHA512bb7f88b09ca89d4b9a33fe2b758ba368276388a16b335622b7596f47b5828436c06a97d9803a1f94acad0944e1a5190dd24712ffaf6ffeb4c88fc99734a20435
-
memory/544-208-0x0000000000000000-mapping.dmp
-
memory/544-212-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/764-201-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/764-197-0x0000000000000000-mapping.dmp
-
memory/992-184-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/992-179-0x0000000000000000-mapping.dmp
-
memory/2272-185-0x0000000000000000-mapping.dmp
-
memory/2272-190-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2528-178-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2528-173-0x0000000000000000-mapping.dmp
-
memory/3116-202-0x0000000000000000-mapping.dmp
-
memory/3116-204-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3116-207-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3192-144-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3192-139-0x0000000000000000-mapping.dmp
-
memory/3556-138-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3556-133-0x0000000000000000-mapping.dmp
-
memory/3880-172-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3880-167-0x0000000000000000-mapping.dmp
-
memory/3984-161-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3984-157-0x0000000000000000-mapping.dmp
-
memory/4048-191-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4048-132-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4048-213-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4108-151-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4108-149-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4108-145-0x0000000000000000-mapping.dmp
-
memory/4180-192-0x0000000000000000-mapping.dmp
-
memory/4180-196-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4224-156-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4224-152-0x0000000000000000-mapping.dmp
-
memory/4804-166-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4804-162-0x0000000000000000-mapping.dmp