Overview

overview

10

Static

static

8

37d0e176d8...30.exe

windows7_x64

10

37d0e176d8...30.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    1561s
  • max time network
    1598s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-07-2022 03:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37d0e176d83113d87aae7afccd5313f0e95b02100516fd50f2d94ed3ea9b8830.exe

  • Size

    196KB

  • MD5

    9a6d52fae3d7017dbc722433f6a3d2fb

  • SHA1

    a501af737fc77efa268473cb92afa44c203ebc17

  • SHA256

    37d0e176d83113d87aae7afccd5313f0e95b02100516fd50f2d94ed3ea9b8830

  • SHA512

    357ce4de1a03df6641542f0e1f5a77587eb05bbb5e6a83ebd304be295a8c4cafb8adeadc0f88afdb55dc403f980388004b3450596a935c2c8c1a509846f12f33

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 14 IoCs
  • UPX packed file 40 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\37d0e176d83113d87aae7afccd5313f0e95b02100516fd50f2d94ed3ea9b8830.exe
    "C:\Users\Admin\AppData\Local\Temp\37d0e176d83113d87aae7afccd5313f0e95b02100516fd50f2d94ed3ea9b8830.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies system executable filetype association
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3112
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:532
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1012
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1732
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1084
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1264
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4816
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4728
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4808
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4340
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3724
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1520
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:708
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3172
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Change Default File Association

1
T1042

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

6
T1112

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    196KB

    MD5

    7af309f324eb2ff140bc17dd7b729d87

    SHA1

    ebc8d226cf96f21d302fc573213be241ac07ad65

    SHA256

    6c15e48574259be6dc8da1bff2038e2e4277509f0cc9f1bb0e058eafc7a76230

    SHA512

    509a6860bc37dfda8eac12ae26e7b9aee1b7d50064c2e3a85e87e14b0fa070dc349a065c840b8ab877e51870b4938aa0ab041f6f4c315f020904adca01897932

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    196KB

    MD5

    e508df910386cff55be4caec087702cf

    SHA1

    00f9d27127b26aa52c7c529dc230f7bdad836aa9

    SHA256

    862e6836c6a1fe62994c0fe01a76f6b9b57dbd5e7167f55a1846b47fb1eea724

    SHA512

    cd16725b91cc0f4f4d89c65b1b0f997ed60b1a170c71b16a0d150cbb4e105b33e945c418004b06f71b848bc87f5a0abe85c25dada0b6e5c79c2ee58071f56117

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    196KB

    MD5

    08422a0bf2aa2ef60d0d8d8827c6e580

    SHA1

    d146174d34e5d81efaaa6107919bb175285dc442

    SHA256

    5473eb4d2ce0135c4d0150980348db770ed54c25f7b3ef9bf093fc152dcf58e5

    SHA512

    16cdbd423908d4cfeed6f2dc1b3405fdf47581b160521fd85f2b54f84089d64fd47f7dd3c69abc3f5f1ebbe20b32eb7986420667080643a32f40bc483747fdc7

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    196KB

    MD5

    39acfaa85fd9dfd67e859737da33bbe3

    SHA1

    8491865a9bcdc6861655d5ef2cd813f074ce8133

    SHA256

    09a08ee107b3cdc7ce1debbb3e5f7c0d1dae0f76fc0a4294136d23e41080fb10

    SHA512

    afa16448f1b5c16f904f870efda58231c387c0c58696624b37e64a04d05c77199759a2a028808f6546858f7c311d070c3acd289c67badfc51fbaa728ff051839

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    196KB

    MD5

    b790ea0ad48b6dbe42c7718b8c980fc8

    SHA1

    c591f2089efe55d4231e6ee5889877bbb5512305

    SHA256

    12551a17b531b6dd8df4315a2b9d88ee7fa56a68ba0ea2d7bdbf21e2485df137

    SHA512

    26d9488075aacc37ed7f22b47ee7ab8e8b63e31a531c616e29a7848a5a56399717d972cfee6009afc47edaf02a5c33004bbdb35c2b97289acc9c5fb8af183213

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    196KB

    MD5

    751d568ae6a689de7414940656a70f9d

    SHA1

    4717e8c429b0d3a0295714df1d1d0cdbbf131572

    SHA256

    d87138ea28cfc4eb08e03d5bf8a144666558f25c8e0a0ce85dc537502f637369

    SHA512

    e0ce82aff728f22bf70a9d50138a7976e82cc6a6d0ded229a966ac0fa25ef09c3e1ebd982ac27e2b76a5d0eb9dc96cecff52ee3a1a2f5899e512df699fd8dc9b

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    196KB

    MD5

    33d43476483f0a5be18d6ce6d7ebfd12

    SHA1

    f884b82efdbfe6beec65f591e278ac4fa5bbfe8f

    SHA256

    91f8a6fd70df4afeda767b9c8e1ec40f2147634d2dd3fd9634010f71fefcf2ec

    SHA512

    5a7025a6847feb1f7e9001fe7fca761eb33df9c529719e10bc614aff4cb99796df11e91c4042a5aa90f74b7bfd63b050fc834a765c1fe82eecda101a572688fa

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    196KB

    MD5

    541766956c3b2045ef3fe3ca4c2f78a7

    SHA1

    fca12a2d4cf40dfb51e8801c87212f1cb4041852

    SHA256

    02e3da32362d9651dd79437e5f93d85a1ef66c83eb85c0cf12cf95f5dc26e4b3

    SHA512

    eba91c0afc3302daef4c2438c9665e0470f137fb4d726dc2b15d6d70ad999b2fe932ce7af86b1f79bb4b44b48ee29de14d8113dae768e886bd0e6dc6754e9192

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    196KB

    MD5

    3414209b2ea4e1628d6c591ca129dd29

    SHA1

    32231da8fd1354cebe40ae5ef4e777ef7348db5f

    SHA256

    c6bafc804d9d5314d26e81e078718db9074028554d89dd5a7a9c411db715a971

    SHA512

    c0f43214904a0a9e59dfc3850fb7a52af2fde220697270885d6cd462d9c355563af2d9a264f0d322f444a3b6461b3bb4351e2de6747b10b3b3036aa572fb0889

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    196KB

    MD5

    ac81519047df5e25d5d6be1d67215911

    SHA1

    dfaaa8eaa95de97307c961e22e5319c769c4686a

    SHA256

    c567b28e656b8614bfa8db1891ba9e2eb9c9b656c3515e8b4c6f05375e5fe4f8

    SHA512

    c56701cb2cfd4e30e9551dc70301daeecfeb1d47de5a91505eb1a4b9e8aa7c141df95cae62abdf4ca084d5bc5e26a833e1301eddee8e78ed3dae5569db30da03

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    Filesize

    196KB

    MD5

    7af309f324eb2ff140bc17dd7b729d87

    SHA1

    ebc8d226cf96f21d302fc573213be241ac07ad65

    SHA256

    6c15e48574259be6dc8da1bff2038e2e4277509f0cc9f1bb0e058eafc7a76230

    SHA512

    509a6860bc37dfda8eac12ae26e7b9aee1b7d50064c2e3a85e87e14b0fa070dc349a065c840b8ab877e51870b4938aa0ab041f6f4c315f020904adca01897932

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    Filesize

    196KB

    MD5

    08422a0bf2aa2ef60d0d8d8827c6e580

    SHA1

    d146174d34e5d81efaaa6107919bb175285dc442

    SHA256

    5473eb4d2ce0135c4d0150980348db770ed54c25f7b3ef9bf093fc152dcf58e5

    SHA512

    16cdbd423908d4cfeed6f2dc1b3405fdf47581b160521fd85f2b54f84089d64fd47f7dd3c69abc3f5f1ebbe20b32eb7986420667080643a32f40bc483747fdc7

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    Filesize

    196KB

    MD5

    b790ea0ad48b6dbe42c7718b8c980fc8

    SHA1

    c591f2089efe55d4231e6ee5889877bbb5512305

    SHA256

    12551a17b531b6dd8df4315a2b9d88ee7fa56a68ba0ea2d7bdbf21e2485df137

    SHA512

    26d9488075aacc37ed7f22b47ee7ab8e8b63e31a531c616e29a7848a5a56399717d972cfee6009afc47edaf02a5c33004bbdb35c2b97289acc9c5fb8af183213

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    Filesize

    196KB

    MD5

    33d43476483f0a5be18d6ce6d7ebfd12

    SHA1

    f884b82efdbfe6beec65f591e278ac4fa5bbfe8f

    SHA256

    91f8a6fd70df4afeda767b9c8e1ec40f2147634d2dd3fd9634010f71fefcf2ec

    SHA512

    5a7025a6847feb1f7e9001fe7fca761eb33df9c529719e10bc614aff4cb99796df11e91c4042a5aa90f74b7bfd63b050fc834a765c1fe82eecda101a572688fa

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    Filesize

    196KB

    MD5

    3414209b2ea4e1628d6c591ca129dd29

    SHA1

    32231da8fd1354cebe40ae5ef4e777ef7348db5f

    SHA256

    c6bafc804d9d5314d26e81e078718db9074028554d89dd5a7a9c411db715a971

    SHA512

    c0f43214904a0a9e59dfc3850fb7a52af2fde220697270885d6cd462d9c355563af2d9a264f0d322f444a3b6461b3bb4351e2de6747b10b3b3036aa572fb0889

    Download Submit
  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    196KB

    MD5

    a1e1df57b29582818c4bfcd937b06919

    SHA1

    b20ef5275fec3c64bd4f8f7a504e55b6af703652

    SHA256

    d5073ffef0e3732876a01a943e6f52b3157f32fcf240a6dc99b60784825670dc

    SHA512

    d97b8334f95fbc6502d50fb59275af1c48da7bb97826c172e6acb1f4e478e7f50b70f914381e5958e0b8e8daefe281214369c69cdb0e49981f55ab2eb57ac8ab

    Download Submit
  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    196KB

    MD5

    a1e1df57b29582818c4bfcd937b06919

    SHA1

    b20ef5275fec3c64bd4f8f7a504e55b6af703652

    SHA256

    d5073ffef0e3732876a01a943e6f52b3157f32fcf240a6dc99b60784825670dc

    SHA512

    d97b8334f95fbc6502d50fb59275af1c48da7bb97826c172e6acb1f4e478e7f50b70f914381e5958e0b8e8daefe281214369c69cdb0e49981f55ab2eb57ac8ab

    Download Submit
  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    196KB

    MD5

    e8c240948c2d7436383c742caaccacb2

    SHA1

    53916f4334f55bec91604ad560eb3bb0553dc196

    SHA256

    b0be489f6a78c7722d0b63f5d44c2efb5f3782f1de1ffb797d878552b1b05f03

    SHA512

    9ab3bdef8ef756f448573448e0d2c1f88c362b2e5bd3d6c7fd4e794b7ff97143ff848d437b0b50e279889ca093a8e8f764a70f497042c6d473cd0a03f33951ac

    Download Submit
  • C:\Windows\xk.exe
    Filesize

    196KB

    MD5

    6734cf8f67f5d33bd54b07d844b74915

    SHA1

    f9b4accc2fe4f7a2053c0bea0a200b6450471e3f

    SHA256

    3f74dbe43a88b9677854fae6bb23e49e77dea00818e22c745b70aea007638eff

    SHA512

    7cdaf17b24686c0b6fcb49f04028039e2f0042058ea48e5ddd779c9c687ccd61161e14e712078ad6373072077e4c2e183600277e080bdd83181cc32500524890

    Download Submit
  • C:\Windows\xk.exe
    Filesize

    196KB

    MD5

    6734cf8f67f5d33bd54b07d844b74915

    SHA1

    f9b4accc2fe4f7a2053c0bea0a200b6450471e3f

    SHA256

    3f74dbe43a88b9677854fae6bb23e49e77dea00818e22c745b70aea007638eff

    SHA512

    7cdaf17b24686c0b6fcb49f04028039e2f0042058ea48e5ddd779c9c687ccd61161e14e712078ad6373072077e4c2e183600277e080bdd83181cc32500524890

    Download Submit
  • C:\Windows\xk.exe
    Filesize

    196KB

    MD5

    532d19c4e9b99a00f6d5bd19f7f526e3

    SHA1

    130a9bfb932fb95c8564f1635255dbd02dc59558

    SHA256

    eac57939f82f70dfa7b918001404282a17e15cd5d1271d074ad62cf96f16a8a4

    SHA512

    121e90cdf0236314799edb3d5ad0721e4233cb8b1989a5aefe2ddf3a677eae25f9816a00d2549377a517468200ddbb46874a7528aa927422af03b8b922862dcc

    Download Submit
  • memory/532-133-0x0000000000000000-mapping.dmp
    Download
  • memory/532-141-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/708-199-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/708-197-0x0000000000000000-mapping.dmp
    Download
  • memory/708-202-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1012-138-0x0000000000000000-mapping.dmp
    Download
  • memory/1012-144-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1084-157-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1084-152-0x0000000000000000-mapping.dmp
    Download
  • memory/1264-163-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1264-158-0x0000000000000000-mapping.dmp
    Download
  • memory/1520-196-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1520-191-0x0000000000000000-mapping.dmp
    Download
  • memory/1732-148-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1732-145-0x0000000000000000-mapping.dmp
    Download
  • memory/1732-151-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2104-212-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2104-208-0x0000000000000000-mapping.dmp
    Download
  • memory/3112-213-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/3112-176-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/3112-130-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/3172-203-0x0000000000000000-mapping.dmp
    Download
  • memory/3172-207-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/3724-192-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/3724-186-0x0000000000000000-mapping.dmp
    Download
  • memory/4340-181-0x0000000000000000-mapping.dmp
    Download
  • memory/4340-187-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4728-170-0x0000000000000000-mapping.dmp
    Download
  • memory/4728-175-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4808-177-0x0000000000000000-mapping.dmp
    Download
  • memory/4808-182-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4816-164-0x0000000000000000-mapping.dmp
    Download
  • memory/4816-169-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download