Overview

overview

10

Static

static

8

b586e273e3...fa.exe

windows7_x64

10

b586e273e3...fa.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    1615s
  • max time network
    1586s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07-07-2022 04:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b586e273e32d82be2dd0b63643844b390f2cba6e28fdf9f4987820794d4c04fa.exe

  • Size

    196KB

  • MD5

    0de432f495f6c4c2eb4319cf0c3586ed

  • SHA1

    a72ce804d4e7e536236533811492f27ea76c0478

  • SHA256

    b586e273e32d82be2dd0b63643844b390f2cba6e28fdf9f4987820794d4c04fa

  • SHA512

    9a23466019ca0b1377ace88df146e402e189cfb8cf9269c742457264a257efd6d30c9882cf1105f86d7ccf0aa8cc271c9388a50c4da3812586ed1a7ddccf6230

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 14 IoCs
  • UPX packed file 39 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b586e273e32d82be2dd0b63643844b390f2cba6e28fdf9f4987820794d4c04fa.exe
    "C:\Users\Admin\AppData\Local\Temp\b586e273e32d82be2dd0b63643844b390f2cba6e28fdf9f4987820794d4c04fa.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies system executable filetype association
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4860
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3920
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3588
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4904
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4300
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2128
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4720
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4616
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4696
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4344
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1300
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:960
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4976
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4796
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Change Default File Association

1
T1042

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

6
T1112

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    196KB

    MD5

    4c13fb68c66900252b1ca3621d11f75c

    SHA1

    ceededaea9f5895a5f4ed2faa3523b093fa44373

    SHA256

    843feb2aa276095cfb9d07ee851d068943d8544307a2e290cc32ed6547f0693a

    SHA512

    15ed0c8e7ab11adca945b8d2b8fa160dd3ba31b06765b8c1fca3c10f566f5efbb80136f724602adb32843da98e5f6049fdaaee83f065b8ebd697c13ad7ef69ed

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    196KB

    MD5

    5b05b20b6860b156e6ae1d19c53775c1

    SHA1

    27e71bf78bd54a27389bbf31e479f6a1fdd97dd2

    SHA256

    cdd8b4865e6328dd6171daa20d5b6c5d56714602868e18e92976d02c431166e5

    SHA512

    e0d656db2e5a6a7c273f554e98cbcec9903cbe152fe1b3099fe35d4880343b62a1364028e963d790318204a6979354795111b17f6dcd0cb3e2be735bef00cb4f

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    196KB

    MD5

    426b3e9dac80fd200e2b8a8114187bd7

    SHA1

    f89d0926a94a76c018f0a9490c9ae397d511d6f6

    SHA256

    7133e7f17e52ea25fdada32730f57c936be75e1fa95fb468ab13bddb25f2adcd

    SHA512

    3d17fae69fd0fcc6752ae7914f9623f4c78fa1ae1e99a5520f4219d8dd38f79ab5c147197a19f57989bd2b6c604213bffae86d5dcd328d09d23821e40fe4f7da

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    196KB

    MD5

    426b3e9dac80fd200e2b8a8114187bd7

    SHA1

    f89d0926a94a76c018f0a9490c9ae397d511d6f6

    SHA256

    7133e7f17e52ea25fdada32730f57c936be75e1fa95fb468ab13bddb25f2adcd

    SHA512

    3d17fae69fd0fcc6752ae7914f9623f4c78fa1ae1e99a5520f4219d8dd38f79ab5c147197a19f57989bd2b6c604213bffae86d5dcd328d09d23821e40fe4f7da

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    196KB

    MD5

    bae44483646c26ecabdfa333865838b7

    SHA1

    4d451b06b7f2d296be40265d50d4e3226dcf13ed

    SHA256

    f2c5a0c0e721b1b4f6a3f98e797ecdb6e2f3581b7b743fa8bed72d753559fd62

    SHA512

    c4fc2746f18d50ec7dc8d8831980858d12b12c40145c9f6fa3f15ebd75989ab7a7dde26e21f2c75b1a4b8744ea7ec613f4e4f7e19b6568ba27ed0ae9a1cde9d5

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    196KB

    MD5

    964260988a2d9ebb74af497f8c57b59e

    SHA1

    0b3f4360f3f61fc58611a6bd44b97066a30c463c

    SHA256

    926f547da978be55eeb6641333a55992fdc807b821ba79e49ddc18d22947105b

    SHA512

    c52e4bbe7c357f9f8b56dd51913404c151d405833118125e77b8427305bb5808cd7fd38cc06682ac7eff2ca78d5ccbc6a6bfffd1a3f1dc644daf0a2fffb8526d

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    196KB

    MD5

    c7d966d575e6dbcf17205bde11b71f5d

    SHA1

    ead9e3d116b761bdc6a4d9e1a35ef61c44f7e3a3

    SHA256

    6a6ec728b5db9dbfe636158f8a0602009904e02afd1635b3ac2124509b03858e

    SHA512

    20546d709a97e4c64ba3e0ee7aabb1500c30d0a4a1556e92fa49a41ca8e04c63b86a536a81b6a9eb14a989d51b7300d1e9a7b82b06a3653fc4232a1542ca65d4

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    196KB

    MD5

    c7d966d575e6dbcf17205bde11b71f5d

    SHA1

    ead9e3d116b761bdc6a4d9e1a35ef61c44f7e3a3

    SHA256

    6a6ec728b5db9dbfe636158f8a0602009904e02afd1635b3ac2124509b03858e

    SHA512

    20546d709a97e4c64ba3e0ee7aabb1500c30d0a4a1556e92fa49a41ca8e04c63b86a536a81b6a9eb14a989d51b7300d1e9a7b82b06a3653fc4232a1542ca65d4

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    196KB

    MD5

    695d2ae61aa8d97e705ee81ce8724b01

    SHA1

    88d8baa5ff3b59e7083d2b8b2d6a37aba0a5d1af

    SHA256

    764439b55d2fe1afac381b38960216c935273efc6b054d1896ef99100fd9758e

    SHA512

    9e99dd49ea8391ee67d3f68bf79b61f3a63ad3c4908cd0893958d0de2d1c11d28e903bcdbc5a15b5b567541bfb56361d105010a1045df55c13017c35280c155e

    Download Submit
  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    196KB

    MD5

    2578e08bb1626e90aa74409f84fa95c8

    SHA1

    f7f3dfb636783878774dc276de431e183069c7dc

    SHA256

    062793a37cd167ad80980b264b472098001c8507437b9140f64269c938345154

    SHA512

    20c29acf886d5c97999042882422f1518d31931fa5a5f9d934cdd96a46118fa4c557a0d5fd826ff6781e1e14c3410f41f0912515f760f392116de991aa47c701

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    Filesize

    196KB

    MD5

    4c13fb68c66900252b1ca3621d11f75c

    SHA1

    ceededaea9f5895a5f4ed2faa3523b093fa44373

    SHA256

    843feb2aa276095cfb9d07ee851d068943d8544307a2e290cc32ed6547f0693a

    SHA512

    15ed0c8e7ab11adca945b8d2b8fa160dd3ba31b06765b8c1fca3c10f566f5efbb80136f724602adb32843da98e5f6049fdaaee83f065b8ebd697c13ad7ef69ed

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    Filesize

    196KB

    MD5

    426b3e9dac80fd200e2b8a8114187bd7

    SHA1

    f89d0926a94a76c018f0a9490c9ae397d511d6f6

    SHA256

    7133e7f17e52ea25fdada32730f57c936be75e1fa95fb468ab13bddb25f2adcd

    SHA512

    3d17fae69fd0fcc6752ae7914f9623f4c78fa1ae1e99a5520f4219d8dd38f79ab5c147197a19f57989bd2b6c604213bffae86d5dcd328d09d23821e40fe4f7da

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    Filesize

    196KB

    MD5

    bae44483646c26ecabdfa333865838b7

    SHA1

    4d451b06b7f2d296be40265d50d4e3226dcf13ed

    SHA256

    f2c5a0c0e721b1b4f6a3f98e797ecdb6e2f3581b7b743fa8bed72d753559fd62

    SHA512

    c4fc2746f18d50ec7dc8d8831980858d12b12c40145c9f6fa3f15ebd75989ab7a7dde26e21f2c75b1a4b8744ea7ec613f4e4f7e19b6568ba27ed0ae9a1cde9d5

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    Filesize

    196KB

    MD5

    c7d966d575e6dbcf17205bde11b71f5d

    SHA1

    ead9e3d116b761bdc6a4d9e1a35ef61c44f7e3a3

    SHA256

    6a6ec728b5db9dbfe636158f8a0602009904e02afd1635b3ac2124509b03858e

    SHA512

    20546d709a97e4c64ba3e0ee7aabb1500c30d0a4a1556e92fa49a41ca8e04c63b86a536a81b6a9eb14a989d51b7300d1e9a7b82b06a3653fc4232a1542ca65d4

    Download Submit
  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    Filesize

    196KB

    MD5

    695d2ae61aa8d97e705ee81ce8724b01

    SHA1

    88d8baa5ff3b59e7083d2b8b2d6a37aba0a5d1af

    SHA256

    764439b55d2fe1afac381b38960216c935273efc6b054d1896ef99100fd9758e

    SHA512

    9e99dd49ea8391ee67d3f68bf79b61f3a63ad3c4908cd0893958d0de2d1c11d28e903bcdbc5a15b5b567541bfb56361d105010a1045df55c13017c35280c155e

    Download Submit
  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    196KB

    MD5

    816f3280776f73fd4ae86a02fc9e9f2c

    SHA1

    41f993bd3d736b90efb31ef318c39e4b07e88e57

    SHA256

    5fd9dede776bc7e65da4e0a93eb3c6f8f1c4282533775934696d8ba686a74383

    SHA512

    f48f931ab780e3538803a29b99c3e05848d31dfb9eb713bc2a88b993e0de19fbe999033160ec282ceeae0104d1ca22e26081774b20dfc16a89a4e00d9e251595

    Download Submit
  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    196KB

    MD5

    816f3280776f73fd4ae86a02fc9e9f2c

    SHA1

    41f993bd3d736b90efb31ef318c39e4b07e88e57

    SHA256

    5fd9dede776bc7e65da4e0a93eb3c6f8f1c4282533775934696d8ba686a74383

    SHA512

    f48f931ab780e3538803a29b99c3e05848d31dfb9eb713bc2a88b993e0de19fbe999033160ec282ceeae0104d1ca22e26081774b20dfc16a89a4e00d9e251595

    Download Submit
  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    196KB

    MD5

    0918911152f279cd92b71b1afd939904

    SHA1

    d0a32700945a7bcfe4c5b81ac4a8ee770c37a07a

    SHA256

    2c554a8e52fbac8375bd517d582448a918af036baefac408bc6b554fcf5d7a31

    SHA512

    f729decbdd128404a1843bb7468411d5d17f1f2062c62da6f95acda4ce5515797ff96f88e316f5b7bab8668abe21262e1b3bd53eaa02750edbc78f35d3913d81

    Download Submit
  • C:\Windows\xk.exe
    Filesize

    196KB

    MD5

    3cf3970be23163fcade9901046739256

    SHA1

    3a0dc950221a54a0bd2a3047a24448ad15a2ccac

    SHA256

    62ad2d9acbfa41e98670e493aa208256cef3aec429d9797778cda7e923823072

    SHA512

    c68b7b46c3b4da0b3d483c5721f93881eb26a909b6c579266fbfa8c4e0c7850bbc8c3f4ef4328491f34de5ff1008481a7f358e2ade8cb66343fcf93f1b78ff89

    Download Submit
  • C:\Windows\xk.exe
    Filesize

    196KB

    MD5

    3cf3970be23163fcade9901046739256

    SHA1

    3a0dc950221a54a0bd2a3047a24448ad15a2ccac

    SHA256

    62ad2d9acbfa41e98670e493aa208256cef3aec429d9797778cda7e923823072

    SHA512

    c68b7b46c3b4da0b3d483c5721f93881eb26a909b6c579266fbfa8c4e0c7850bbc8c3f4ef4328491f34de5ff1008481a7f358e2ade8cb66343fcf93f1b78ff89

    Download Submit
  • C:\Windows\xk.exe
    Filesize

    196KB

    MD5

    acd680d3a329b9785affce37bd72670f

    SHA1

    f80e43a59fd8d2724f0beb6bf2bccd2c0583fea5

    SHA256

    d50ffd3327e44a8ad4ddfb03ca940bb50420e13a177cd5e2b938d901d38e739c

    SHA512

    ee6a2f3bc297b3ea7eea24fc668d90c6fa4e5fb931caa67bc47d9b88b74789e9ca9cc7af8f1c2f859dff0e5e54753a2856336d860c781df2ddd40bde543e5990

    Download Submit
  • memory/960-188-0x0000000000000000-mapping.dmp
    Download
  • memory/960-193-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1300-182-0x0000000000000000-mapping.dmp
    Download
  • memory/1300-187-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2128-162-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2128-157-0x0000000000000000-mapping.dmp
    Download
  • memory/3588-138-0x0000000000000000-mapping.dmp
    Download
  • memory/3588-144-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/3728-211-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/3728-206-0x0000000000000000-mapping.dmp
    Download
  • memory/3920-139-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/3920-133-0x0000000000000000-mapping.dmp
    Download
  • memory/4300-151-0x0000000000000000-mapping.dmp
    Download
  • memory/4300-156-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4344-183-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4344-177-0x0000000000000000-mapping.dmp
    Download
  • memory/4616-172-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4616-167-0x0000000000000000-mapping.dmp
    Download
  • memory/4696-179-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4696-173-0x0000000000000000-mapping.dmp
    Download
  • memory/4720-163-0x0000000000000000-mapping.dmp
    Download
  • memory/4720-168-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4796-202-0x0000000000000000-mapping.dmp
    Download
  • memory/4796-207-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4860-201-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4860-130-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4860-212-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4904-150-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4904-145-0x0000000000000000-mapping.dmp
    Download
  • memory/4976-197-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4976-200-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4976-194-0x0000000000000000-mapping.dmp
    Download