Overview

overview

10

Static

static

8

5ccdbaba0b...38.exe

windows7_x64

10

5ccdbaba0b...38.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    1617s
  • max time network
    1588s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-07-2022 03:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ccdbaba0b4e818fd6a30898ec037389a6d1249cc5a642b9f9760c55c7104138.exe

  • Size

    196KB

  • MD5

    76a87f38773537055dc197c98182f4aa

  • SHA1

    c43348da0830418f4faba651caf147c830da0f06

  • SHA256

    5ccdbaba0b4e818fd6a30898ec037389a6d1249cc5a642b9f9760c55c7104138

  • SHA512

    d387ca6d152e5a8267af15dcd60ff42976320b86f0617f91db81804b80b37bda8c5be19445320cdc3bc62417637e96687fa96adfb854106bb2c08633ed3c0f7b

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 14 IoCs
  • UPX packed file 38 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ccdbaba0b4e818fd6a30898ec037389a6d1249cc5a642b9f9760c55c7104138.exe
    "C:\Users\Admin\AppData\Local\Temp\5ccdbaba0b4e818fd6a30898ec037389a6d1249cc5a642b9f9760c55c7104138.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies system executable filetype association
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2804
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4956
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4932
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1824
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1572
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4052
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2840
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4540
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4040
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2644
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4164
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2712
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3292
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:928
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Change Default File Association

1
T1042

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

6
T1112

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    196KB

    MD5

    691f19c911b15959ebef247289e6622a

    SHA1

    6d1d994a34a839eb871bb2774ca92225b5a0a143

    SHA256

    de8d2f7fd94da7305362c9d24628246d2b28a38999145f7b3bf52670b9d9f9b9

    SHA512

    b5817e983150ecd2fe69a16e2d48e1a525dcbced1aba245669af3e02af2523b8de176eee406380835bcc0f025f06eddcd2ee4dd5df80127b30e725a2aec7b987

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    196KB

    MD5

    fc29722cfaa1993f4ada62904b344f58

    SHA1

    8b3a9d5df526c18f7ac0c59d04ea429350bfe6a2

    SHA256

    695e682c2e3173000c6904cdc4e1f926faf7bf41aff4eae1c85bc9d21d26ce4d

    SHA512

    9caa23ef442ee3ebd09bbe352e96e98bc0f7e07465ee5b6b791f86a93efa0ebfad98816d18a7c39ff2651c3d10adcca2e90b4cfe202013a270607e89389648d1

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    196KB

    MD5

    16656ad1f70257af03e40a67eb31e3c2

    SHA1

    bf0ba8c8cd5cb69ae4b7f2cd0bc2fae82b46755f

    SHA256

    a92426d65b782ecc6872b0af40fe148ae048e08ac7aa616dbc29a82bf990ecdc

    SHA512

    69f85685fbf8f4886215ba7ba176acd88cf40c09080791c6f3fc7d85f705b4363f83f3ce4171030c352e57c09f73556d4766b31672e1c4c9e66d445914a8244b

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    196KB

    MD5

    a8f8c1cba6287e99c0e9bba3a03458b3

    SHA1

    0366943020024b5eb16a1672aa94469737ff8286

    SHA256

    3a1d375399c5a458120048af6deddfed8a3474e81b4ddebc32f6a1f87567bcc2

    SHA512

    cb7cbe942aefc9871235f9d871ed597c86ff1b5670615eaf1afe68512ebd477be775e59814e1c39a401d89244e8e9826d4e8e6062543fc819e6a72dc54e78feb

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    196KB

    MD5

    4051f71d32da3e668dea9120b38710e3

    SHA1

    046e2f85e8bef600f973a52de54eef171cbd7a7e

    SHA256

    7b64be8b230c770312ded323231d1702ff3400950e076c691c9b73ecd7c374a6

    SHA512

    00530123463e3d88fd5001b4d62a64e9e45d77eceef99f932a66a5bc4867db7a4167e8dc36617893e18935aa07b0fc253090fe63b46052f13f17937be193ee72

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    196KB

    MD5

    fcb5e21b8a23d98983e1139d39042573

    SHA1

    746fca6739ca8758008e42e9aa90f5d03102b7db

    SHA256

    81fcf3455dbcac6b5dce908073e8e68497b346543490fde5c1639faacc73353e

    SHA512

    860f09f23dd91291c48d9c0caf2f816cb18ee6e8a79342af2522312d267d38211cb53499c8641d1ee3e7173122879b5bf8abe42726239a3db6636784f5a4172d

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    196KB

    MD5

    931abc8f67cde6655246998382d08fc9

    SHA1

    ab96fdf9a76732c01b4a459b6618c626685dab5b

    SHA256

    26d5d036d16ab692c3eeca3a93c1688982706a5ef012809d8adcbc199c53c08f

    SHA512

    1c4798e5338656286045be5dbb72b75d7baed21a1080bef7b0080ba4231dbe7b240ab169ba56b52f35b4edca629152de0fab5e63fdc26a53c9bfb41d40a6a04a

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    196KB

    MD5

    9c1147031f8b1aedc446db44a9007480

    SHA1

    9c5d6e55db9397357c6349201d877a03880d54d1

    SHA256

    ac7ad530dd3511c8e507881acd7e367955702f9f9af087f420b1d8c81b88de36

    SHA512

    c156266872e838e75b10bedf4ddef3feb61c6314107cf851023a4e5ea5b72aa332ce446e26b8dd0bb481bde1d6205727983d879f326aee72216c75e037041805

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    196KB

    MD5

    3992e19f37aa555697dc55a5541e40e2

    SHA1

    8658559cf343fef71862e59e625cb87fd0f1e7f8

    SHA256

    efd6ca01d1f36ab971965dda1dd6104a4151f205fe8242965f3be222c85b02c6

    SHA512

    abc6a5e04312a0a09d7e69a94ed8c52f4ad89f364d189733fb69b795a810ff13ecbde858ebde5eacb76edac720adef98e7ffc3e4f7de69ca4705e4f299654267

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    196KB

    MD5

    e81d33bbf5b4171b8aaead25922c3d88

    SHA1

    6a410222f0292e6ae1857a34823b811f37375286

    SHA256

    d074efcdaadae165f8204f5935fc60655e1f0ac4b05b171bf7bd53fa84349f22

    SHA512

    1d543a4c72e778bf820788d613c843fdfd3dec715d523c718156d73951a337a3513d11ad6541c02a8f57491efdc3cf126fbb57c3bc1b2e4afc68160e8d69be5a

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    Filesize

    196KB

    MD5

    691f19c911b15959ebef247289e6622a

    SHA1

    6d1d994a34a839eb871bb2774ca92225b5a0a143

    SHA256

    de8d2f7fd94da7305362c9d24628246d2b28a38999145f7b3bf52670b9d9f9b9

    SHA512

    b5817e983150ecd2fe69a16e2d48e1a525dcbced1aba245669af3e02af2523b8de176eee406380835bcc0f025f06eddcd2ee4dd5df80127b30e725a2aec7b987

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    Filesize

    196KB

    MD5

    16656ad1f70257af03e40a67eb31e3c2

    SHA1

    bf0ba8c8cd5cb69ae4b7f2cd0bc2fae82b46755f

    SHA256

    a92426d65b782ecc6872b0af40fe148ae048e08ac7aa616dbc29a82bf990ecdc

    SHA512

    69f85685fbf8f4886215ba7ba176acd88cf40c09080791c6f3fc7d85f705b4363f83f3ce4171030c352e57c09f73556d4766b31672e1c4c9e66d445914a8244b

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    Filesize

    196KB

    MD5

    4051f71d32da3e668dea9120b38710e3

    SHA1

    046e2f85e8bef600f973a52de54eef171cbd7a7e

    SHA256

    7b64be8b230c770312ded323231d1702ff3400950e076c691c9b73ecd7c374a6

    SHA512

    00530123463e3d88fd5001b4d62a64e9e45d77eceef99f932a66a5bc4867db7a4167e8dc36617893e18935aa07b0fc253090fe63b46052f13f17937be193ee72

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    Filesize

    196KB

    MD5

    931abc8f67cde6655246998382d08fc9

    SHA1

    ab96fdf9a76732c01b4a459b6618c626685dab5b

    SHA256

    26d5d036d16ab692c3eeca3a93c1688982706a5ef012809d8adcbc199c53c08f

    SHA512

    1c4798e5338656286045be5dbb72b75d7baed21a1080bef7b0080ba4231dbe7b240ab169ba56b52f35b4edca629152de0fab5e63fdc26a53c9bfb41d40a6a04a

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    Filesize

    196KB

    MD5

    3992e19f37aa555697dc55a5541e40e2

    SHA1

    8658559cf343fef71862e59e625cb87fd0f1e7f8

    SHA256

    efd6ca01d1f36ab971965dda1dd6104a4151f205fe8242965f3be222c85b02c6

    SHA512

    abc6a5e04312a0a09d7e69a94ed8c52f4ad89f364d189733fb69b795a810ff13ecbde858ebde5eacb76edac720adef98e7ffc3e4f7de69ca4705e4f299654267

    Download Submit
  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    196KB

    MD5

    9520947ce5fa89bdfc33de9da015b6ff

    SHA1

    10fa6c1641038a90e1a096f35b225056b5fe66c5

    SHA256

    f1393eab33a87edca9ceddd4fc16ff9153c59bed2352794164a871aa5721ab7d

    SHA512

    35e87d6cf57277864635f579fe691a8808b93294e00892f4808dc41bf7b24ed81b5df89200b2a7ffdabb34a2ce5460211dbd5d1b9120cdca6ae7ff53d5a98671

    Download Submit
  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    196KB

    MD5

    9520947ce5fa89bdfc33de9da015b6ff

    SHA1

    10fa6c1641038a90e1a096f35b225056b5fe66c5

    SHA256

    f1393eab33a87edca9ceddd4fc16ff9153c59bed2352794164a871aa5721ab7d

    SHA512

    35e87d6cf57277864635f579fe691a8808b93294e00892f4808dc41bf7b24ed81b5df89200b2a7ffdabb34a2ce5460211dbd5d1b9120cdca6ae7ff53d5a98671

    Download Submit
  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    196KB

    MD5

    743a9d7c15c08bd58e0058b2ce2c7626

    SHA1

    a726081c2e306ce85f44eae518fd9e82904df7f5

    SHA256

    7ec506ab9034a8243cba86c0da0b46f7c16cd9edc1fe64f50dfe3cc6584098a0

    SHA512

    0dc2f9795bc7404f7061714a9136e34cb78627ff93af5dc4779f14d916c6040bdf0c016c6cc27ebd20ec7cfc43742c95c27d8c1574955cba75f6d310a5305984

    Download Submit
  • C:\Windows\xk.exe
    Filesize

    196KB

    MD5

    424e0ca73647cc6a635429bb7f2ef671

    SHA1

    1c420163f43f482e3111e93542da92275e7ff277

    SHA256

    0787c1f0a987bdeffb43eaa0c308586939bec8f3d37cbae6e0fd9df77902a89d

    SHA512

    efd376993cc667397a1de75a9a3dde0857ba97388a09d51c11c562f0d5b30def55b08aca65f84a2f6dec1acc46cf65fca11380b367f6dac0fb625590cd87ee32

    Download Submit
  • C:\Windows\xk.exe
    Filesize

    196KB

    MD5

    424e0ca73647cc6a635429bb7f2ef671

    SHA1

    1c420163f43f482e3111e93542da92275e7ff277

    SHA256

    0787c1f0a987bdeffb43eaa0c308586939bec8f3d37cbae6e0fd9df77902a89d

    SHA512

    efd376993cc667397a1de75a9a3dde0857ba97388a09d51c11c562f0d5b30def55b08aca65f84a2f6dec1acc46cf65fca11380b367f6dac0fb625590cd87ee32

    Download Submit
  • C:\Windows\xk.exe
    Filesize

    196KB

    MD5

    5ab417f0731261d56b21377699b9ff49

    SHA1

    eedcfb3143ea64e92869b85cbbd2ce4b303653c7

    SHA256

    464ffba40f771f04561cd0fde9ac03b80aaeefa02ed9db71f00ee439ae5e3003

    SHA512

    4e992bf42c44e7864d0a690d5402adbe85dad7582eb2cf74fa73d5bf9011e2356e4e7bccbedf268ca4d8c837f968b99c759a31608dc3d5305542824a30272249

    Download Submit
  • memory/608-205-0x0000000000000000-mapping.dmp
    Download
  • memory/608-210-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/928-201-0x0000000000000000-mapping.dmp
    Download
  • memory/928-206-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1572-151-0x0000000000000000-mapping.dmp
    Download
  • memory/1572-156-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1824-145-0x0000000000000000-mapping.dmp
    Download
  • memory/1824-150-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2644-181-0x0000000000000000-mapping.dmp
    Download
  • memory/2644-185-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2712-196-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2712-191-0x0000000000000000-mapping.dmp
    Download
  • memory/2804-211-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2804-175-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2804-132-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2840-168-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2840-163-0x0000000000000000-mapping.dmp
    Download
  • memory/3292-200-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/3292-195-0x0000000000000000-mapping.dmp
    Download
  • memory/4040-176-0x0000000000000000-mapping.dmp
    Download
  • memory/4040-180-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4052-162-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4052-157-0x0000000000000000-mapping.dmp
    Download
  • memory/4164-186-0x0000000000000000-mapping.dmp
    Download
  • memory/4164-190-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4540-169-0x0000000000000000-mapping.dmp
    Download
  • memory/4540-174-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4932-144-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4932-139-0x0000000000000000-mapping.dmp
    Download
  • memory/4956-138-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4956-133-0x0000000000000000-mapping.dmp
    Download