Overview

overview

10

Static

static

8

5ccdbaba0b...38.exe

windows7_x64

10

5ccdbaba0b...38.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    1610s
  • max time network
    1613s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    07-07-2022 03:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ccdbaba0b4e818fd6a30898ec037389a6d1249cc5a642b9f9760c55c7104138.exe

  • Size

    196KB

  • MD5

    76a87f38773537055dc197c98182f4aa

  • SHA1

    c43348da0830418f4faba651caf147c830da0f06

  • SHA256

    5ccdbaba0b4e818fd6a30898ec037389a6d1249cc5a642b9f9760c55c7104138

  • SHA512

    d387ca6d152e5a8267af15dcd60ff42976320b86f0617f91db81804b80b37bda8c5be19445320cdc3bc62417637e96687fa96adfb854106bb2c08633ed3c0f7b

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 12 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ccdbaba0b4e818fd6a30898ec037389a6d1249cc5a642b9f9760c55c7104138.exe
    "C:\Users\Admin\AppData\Local\Temp\5ccdbaba0b4e818fd6a30898ec037389a6d1249cc5a642b9f9760c55c7104138.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies system executable filetype association
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1972
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1312
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1756
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1292
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:964
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:896
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:680
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1392

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    196KB

    MD5

    17cfb20a8689a52b74d80edd11dcad90

    SHA1

    7b15d3d931a6b9faaf7e284d6892c04dd580302e

    SHA256

    7e08b138b09db7a7facdafdb816d55f42c4186dfec072e76a1b635aad24a3608

    SHA512

    a70ea1e47e4d5664e5113a070db10481ef19cfa857799d9a3dbcabe75e073445a4be8c6d0282a7d44e8c1c8926351a0fdfdce98bcaef782532c970a8b46ffa09

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    196KB

    MD5

    a73ddd82d280dedf23939f7031337c94

    SHA1

    dc735130e3ff4ff66eef1da8fb0f37c1342d9d52

    SHA256

    ce48c9c3b4f638e63c69061704164926655d600c96df21553f62982c0a6331c0

    SHA512

    2636e55a1bbb18220ba4505536fceefa5cbff2b845794db46cdc9c941d8d7f89e3d9fda4a6e0446af0e12b46962cfda33e94f63ec120be3dd5a066b56c27fbff

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    196KB

    MD5

    ecfece72a21cc1c1ea972b1955c3d947

    SHA1

    591f03a2243fb10710f3425b60bb14f7acb6da96

    SHA256

    c7763145d6b475cfc66752445a65ad818c0237987edf16e2c8bc5d298dc0ad82

    SHA512

    3a73a91a8a116e33231dc83538ee66721cc8437388ae575823194ddab42faab6262577d2c41ba982199a2f2305e5d24f03ff5c9c8e0d5e74988fffc881d92828

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    196KB

    MD5

    d0e2d2c200b19df8de531d9eeb6fa56b

    SHA1

    9de3824559c46eda7bfe376183c3856ec7a07932

    SHA256

    1a0fc025a8c51b90d2f8d8a5cc4d68fa138c37640ee8894e52f929ff36382b5a

    SHA512

    2cb7daefd8ac36af9970e6a7e98f18a56b0c74a9888e88a4ce28138cb3266e9a86e0753a5bfb64f75e6db52ff865a235eb9917db8428c082b70b36f558da768a

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    196KB

    MD5

    1baf38e45eeea3a0f9034f82d0e88cdf

    SHA1

    95d88231391b80987f85073a5d12a0fa04f4c1e8

    SHA256

    d87ac1957cd00759ea283bb4ebdfa36c68193578b3a9e1c135e7f39af93e800e

    SHA512

    356cd18f4f005df948aa1b8c925625628f552e91a524fa15e8f01b4041f339955d280d624505ff3550d60ba60afdc44c0be8357c8b071553eabd91e0e3d46f71

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    196KB

    MD5

    6dfbb3ee9f617c3d1ae42382407bbb88

    SHA1

    216aa740d13c8e7160e77108aca414b0fe14d4a3

    SHA256

    8a80aa5cd78d9009c669b7b675a0d01bca05b44617360ecc8c5ddb5d2319227b

    SHA512

    be7566b9e9b777c913afa9083bca0a63ed9501456d5019974086ddf27ab2b82b451c71b191e28386c0ea04cc199f3ca72cd8f863425a852ac0af47d41456d5ee

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    196KB

    MD5

    4c09f4544fdfa2a6471d84eb179025dc

    SHA1

    400d9403a7d6c8b3525ab89fa7242ce795cb1717

    SHA256

    14bb56950e93e67ccc7670ef7d866d67e4c3ea43f2525ff962452f648a7eff70

    SHA512

    cd1fce2b44ee62c50369268dfd8a55926ed87d6c09c39eed3adb700265e1354c46223d31701780cc07bfd5bcac57fda85c210d4aaed822b78024c42ade1fc2eb

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    196KB

    MD5

    17cfb20a8689a52b74d80edd11dcad90

    SHA1

    7b15d3d931a6b9faaf7e284d6892c04dd580302e

    SHA256

    7e08b138b09db7a7facdafdb816d55f42c4186dfec072e76a1b635aad24a3608

    SHA512

    a70ea1e47e4d5664e5113a070db10481ef19cfa857799d9a3dbcabe75e073445a4be8c6d0282a7d44e8c1c8926351a0fdfdce98bcaef782532c970a8b46ffa09

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    196KB

    MD5

    17cfb20a8689a52b74d80edd11dcad90

    SHA1

    7b15d3d931a6b9faaf7e284d6892c04dd580302e

    SHA256

    7e08b138b09db7a7facdafdb816d55f42c4186dfec072e76a1b635aad24a3608

    SHA512

    a70ea1e47e4d5664e5113a070db10481ef19cfa857799d9a3dbcabe75e073445a4be8c6d0282a7d44e8c1c8926351a0fdfdce98bcaef782532c970a8b46ffa09

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    196KB

    MD5

    a73ddd82d280dedf23939f7031337c94

    SHA1

    dc735130e3ff4ff66eef1da8fb0f37c1342d9d52

    SHA256

    ce48c9c3b4f638e63c69061704164926655d600c96df21553f62982c0a6331c0

    SHA512

    2636e55a1bbb18220ba4505536fceefa5cbff2b845794db46cdc9c941d8d7f89e3d9fda4a6e0446af0e12b46962cfda33e94f63ec120be3dd5a066b56c27fbff

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    196KB

    MD5

    a73ddd82d280dedf23939f7031337c94

    SHA1

    dc735130e3ff4ff66eef1da8fb0f37c1342d9d52

    SHA256

    ce48c9c3b4f638e63c69061704164926655d600c96df21553f62982c0a6331c0

    SHA512

    2636e55a1bbb18220ba4505536fceefa5cbff2b845794db46cdc9c941d8d7f89e3d9fda4a6e0446af0e12b46962cfda33e94f63ec120be3dd5a066b56c27fbff

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    196KB

    MD5

    ecfece72a21cc1c1ea972b1955c3d947

    SHA1

    591f03a2243fb10710f3425b60bb14f7acb6da96

    SHA256

    c7763145d6b475cfc66752445a65ad818c0237987edf16e2c8bc5d298dc0ad82

    SHA512

    3a73a91a8a116e33231dc83538ee66721cc8437388ae575823194ddab42faab6262577d2c41ba982199a2f2305e5d24f03ff5c9c8e0d5e74988fffc881d92828

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    196KB

    MD5

    ecfece72a21cc1c1ea972b1955c3d947

    SHA1

    591f03a2243fb10710f3425b60bb14f7acb6da96

    SHA256

    c7763145d6b475cfc66752445a65ad818c0237987edf16e2c8bc5d298dc0ad82

    SHA512

    3a73a91a8a116e33231dc83538ee66721cc8437388ae575823194ddab42faab6262577d2c41ba982199a2f2305e5d24f03ff5c9c8e0d5e74988fffc881d92828

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    196KB

    MD5

    d0e2d2c200b19df8de531d9eeb6fa56b

    SHA1

    9de3824559c46eda7bfe376183c3856ec7a07932

    SHA256

    1a0fc025a8c51b90d2f8d8a5cc4d68fa138c37640ee8894e52f929ff36382b5a

    SHA512

    2cb7daefd8ac36af9970e6a7e98f18a56b0c74a9888e88a4ce28138cb3266e9a86e0753a5bfb64f75e6db52ff865a235eb9917db8428c082b70b36f558da768a

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    196KB

    MD5

    d0e2d2c200b19df8de531d9eeb6fa56b

    SHA1

    9de3824559c46eda7bfe376183c3856ec7a07932

    SHA256

    1a0fc025a8c51b90d2f8d8a5cc4d68fa138c37640ee8894e52f929ff36382b5a

    SHA512

    2cb7daefd8ac36af9970e6a7e98f18a56b0c74a9888e88a4ce28138cb3266e9a86e0753a5bfb64f75e6db52ff865a235eb9917db8428c082b70b36f558da768a

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    196KB

    MD5

    1baf38e45eeea3a0f9034f82d0e88cdf

    SHA1

    95d88231391b80987f85073a5d12a0fa04f4c1e8

    SHA256

    d87ac1957cd00759ea283bb4ebdfa36c68193578b3a9e1c135e7f39af93e800e

    SHA512

    356cd18f4f005df948aa1b8c925625628f552e91a524fa15e8f01b4041f339955d280d624505ff3550d60ba60afdc44c0be8357c8b071553eabd91e0e3d46f71

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    196KB

    MD5

    1baf38e45eeea3a0f9034f82d0e88cdf

    SHA1

    95d88231391b80987f85073a5d12a0fa04f4c1e8

    SHA256

    d87ac1957cd00759ea283bb4ebdfa36c68193578b3a9e1c135e7f39af93e800e

    SHA512

    356cd18f4f005df948aa1b8c925625628f552e91a524fa15e8f01b4041f339955d280d624505ff3550d60ba60afdc44c0be8357c8b071553eabd91e0e3d46f71

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    196KB

    MD5

    6dfbb3ee9f617c3d1ae42382407bbb88

    SHA1

    216aa740d13c8e7160e77108aca414b0fe14d4a3

    SHA256

    8a80aa5cd78d9009c669b7b675a0d01bca05b44617360ecc8c5ddb5d2319227b

    SHA512

    be7566b9e9b777c913afa9083bca0a63ed9501456d5019974086ddf27ab2b82b451c71b191e28386c0ea04cc199f3ca72cd8f863425a852ac0af47d41456d5ee

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    196KB

    MD5

    6dfbb3ee9f617c3d1ae42382407bbb88

    SHA1

    216aa740d13c8e7160e77108aca414b0fe14d4a3

    SHA256

    8a80aa5cd78d9009c669b7b675a0d01bca05b44617360ecc8c5ddb5d2319227b

    SHA512

    be7566b9e9b777c913afa9083bca0a63ed9501456d5019974086ddf27ab2b82b451c71b191e28386c0ea04cc199f3ca72cd8f863425a852ac0af47d41456d5ee

    Download Submit

  • memory/680-96-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/680-92-0x0000000000000000-mapping.dmp

    Download

  • memory/896-85-0x0000000000000000-mapping.dmp

    Download

  • memory/896-89-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/964-82-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/964-78-0x0000000000000000-mapping.dmp

    Download

  • memory/1292-71-0x0000000000000000-mapping.dmp

    Download

  • memory/1292-75-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1312-61-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1312-57-0x0000000000000000-mapping.dmp

    Download

  • memory/1392-99-0x0000000000000000-mapping.dmp

    Download

  • memory/1392-103-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1756-64-0x0000000000000000-mapping.dmp

    Download

  • memory/1756-68-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1972-56-0x0000000075F21000-0x0000000075F23000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1972-104-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download