Overview

overview

10

Static

static

3

a7d0433ce4...JC.exe

windows7-x64

10

a7d0433ce4...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-10-2023 01:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe

  • Size

    164KB

  • MD5

    a7d0433ce4435d2cc4b806da76dbe360

  • SHA1

    991a569024b6320e0894e2f4459cb4b4b7a05390

  • SHA256

    25aeb8acc6bae3bf19beb66c996f8763ecbc0f6595068f188e157d1880a35d28

  • SHA512

    2890284e536bce55062d1a10eddb1f45a9ef52e81c8af75d1bec54299eff3a25aff44683b70daa66884a46db46daadb578c6fee7ef2e433084cb0c2639aedafe

  • SSDEEP

    3072:Ax/5F/E7tEf0G+p+tYlpJH7iXQNgggHlxDZiYLK5Wph:AxhF4cX+wWJH7igNgjdFKs

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 14 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1336
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3788
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4224
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:796
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1008
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5032
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5000
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3572
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1928
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3200
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5116
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3744
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3396
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1188
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    164KB

    MD5

    2639ef8ca7a59eced0ee556411fef065

    SHA1

    8b5819ee8c072b4267589925d367aaef38891029

    SHA256

    253b14b184f4542261f183a4e3f65a9e43bd9c64eb15fe992c00fd53c932bd5b

    SHA512

    ce63e9036b13b57186b9852def564b77563a8f0e057ed545a9e72e91a611ebecb1f0a7fb7e66c1cb2ab801d3f9dbf676d75496062e5101f888e4d2d01d64428d

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    164KB

    MD5

    a483d0ffd2e799c8631f8d7377294a03

    SHA1

    abb20558147d5055c0645b5d707ffe7df654833f

    SHA256

    c45c687910d0da1cd2c03c71c1b38d9da5f4130a36524d5b09578197fff04bf1

    SHA512

    b0da63534e9d3594406332325c1bba6cda20bd65122aa3b5ae6c9f29983671029b02d885a30bc6795c61187b96cfa15e1d5d5de1ab84214b16b37375c3a6d7e4

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    164KB

    MD5

    ed3c6df4e02d527e5f00eba5b4f42cd0

    SHA1

    a936a34d590631e7037e2faa60d7675b8957f007

    SHA256

    68f2b24da725bf5a1de3d3fd71d96a95d96241e93ea780d4fb676ee1e03c88b1

    SHA512

    bb1f91b3bbf1e51594be8cb892635abfda24c1cb4ba4734b02d0c1af74a3f10f9a95caa830e2f0ddf0a8e9d0ae20e16a40264238918ded2b5dbfe8bef68857df

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    164KB

    MD5

    a306b813f4c43a532249360889d73048

    SHA1

    9ab8f24e802ffa5348da4a1b4835e28fc9073500

    SHA256

    385521db24dd9bb18d936fbbdbf8daed57dac645981343a1becbfb33f4cb19cf

    SHA512

    4b19be548acbd0fc8431a3512904a615bcec90a30b9a0fe17ab1518d25cfe8f74612120248e51a83f6f0be648fced3229940d24a338aa2f8c94ba602652e98e4

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    164KB

    MD5

    10b2670c2931f4b831b0c16d5415e293

    SHA1

    6aa4fffb1bc2f67266764478c3db1e06760f618b

    SHA256

    3a8ced2d0c8b1b5343e3dd47933027339b9e1e24e2c642ccd852df1857ae4a14

    SHA512

    94b8d89de9d3476ff93225af62845c291d3709c5ff193064704967db6fa9d5bec41e0b7c0f4f85353e19ecbde0332548eb48ae6bfa7322c61d399db23bf19036

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    164KB

    MD5

    60d4feeeec7eed4fb255be021f93cbcc

    SHA1

    99300f5eaea4abf5ccb4ff3e9f0a731f3fb98fe6

    SHA256

    b17f62115278f2df7a039b95cb2690a18b56a22e29574baae1ce791964216225

    SHA512

    0b0f14b033a73c6ab7b5d5f778a527b81dbfab217254735bd389defa021a0b7fd911124a46126fc1d30ee40a9273a7c334208940a15870d8fae55d9d1a8f30b0

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    164KB

    MD5

    3c6d5c0c7459a1cd0a57bed13d200573

    SHA1

    84277318f5f61c656e1cfd1ff47f5b1ce413be07

    SHA256

    96649dde039757f931239d624cf56230fb9139fc7df2633cb7b2b7c229b17868

    SHA512

    a547a393c4847a70e02298d9c755b9cc4a33b2a42f900a25cc99fb56eff37fa4bef1012dbc328db22c3973207e74e89c3ea449290ef21ad458418d31f09f9de2

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    164KB

    MD5

    44b491719fbd0d86eacb994bc26856f3

    SHA1

    05ecbdf1ee436b470aad99f818c0a63eea9e9c64

    SHA256

    adb234ae7beaff35fc097d34fa9945664e6f9a7adf8e4a9df08870d0e58cbebe

    SHA512

    ae9daf64a509044a6626b34663b1aabffac2691979be89acf4ead6c96c2718d0e5a93615be9c7196029040ae7b91213a29958a94fdaf7a16673cc3ef8cf5314e

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    164KB

    MD5

    ec8a0303d0f2f19d98be942bd37f58c4

    SHA1

    8807d808f3b32ce70358719597c3ae753ed6d509

    SHA256

    2f7231b01b768405c229f8c53f6896503f69a3baca96aabc17bd2f61192eaf2a

    SHA512

    4c2a17ba1957747198961c22058a1ed892c2209f3a5389696243471c2f56e6d247611d511c681d55d862612503eadde249983e0c015f1c88635e3074cd032685

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    164KB

    MD5

    6cc97dedb3a7d66b056941585586a7a0

    SHA1

    ed2e52954cee865fac641a9624a364037eb319ea

    SHA256

    ea6836d626adb0394e97fa80350fe176d3031e7a870e38355e35877f6b0e4bf4

    SHA512

    722163a2c66f8cb7a8c3c79f47c753ba309c04e05f5aebda7124d150b27ff56c5b0c7c44b540dd20c7624081c7f83785586447b521f725acd1666f6ab4ff23ae

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    164KB

    MD5

    a7d0433ce4435d2cc4b806da76dbe360

    SHA1

    991a569024b6320e0894e2f4459cb4b4b7a05390

    SHA256

    25aeb8acc6bae3bf19beb66c996f8763ecbc0f6595068f188e157d1880a35d28

    SHA512

    2890284e536bce55062d1a10eddb1f45a9ef52e81c8af75d1bec54299eff3a25aff44683b70daa66884a46db46daadb578c6fee7ef2e433084cb0c2639aedafe

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    Filesize

    164KB

    MD5

    a483d0ffd2e799c8631f8d7377294a03

    SHA1

    abb20558147d5055c0645b5d707ffe7df654833f

    SHA256

    c45c687910d0da1cd2c03c71c1b38d9da5f4130a36524d5b09578197fff04bf1

    SHA512

    b0da63534e9d3594406332325c1bba6cda20bd65122aa3b5ae6c9f29983671029b02d885a30bc6795c61187b96cfa15e1d5d5de1ab84214b16b37375c3a6d7e4

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    Filesize

    164KB

    MD5

    a306b813f4c43a532249360889d73048

    SHA1

    9ab8f24e802ffa5348da4a1b4835e28fc9073500

    SHA256

    385521db24dd9bb18d936fbbdbf8daed57dac645981343a1becbfb33f4cb19cf

    SHA512

    4b19be548acbd0fc8431a3512904a615bcec90a30b9a0fe17ab1518d25cfe8f74612120248e51a83f6f0be648fced3229940d24a338aa2f8c94ba602652e98e4

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    Filesize

    164KB

    MD5

    60d4feeeec7eed4fb255be021f93cbcc

    SHA1

    99300f5eaea4abf5ccb4ff3e9f0a731f3fb98fe6

    SHA256

    b17f62115278f2df7a039b95cb2690a18b56a22e29574baae1ce791964216225

    SHA512

    0b0f14b033a73c6ab7b5d5f778a527b81dbfab217254735bd389defa021a0b7fd911124a46126fc1d30ee40a9273a7c334208940a15870d8fae55d9d1a8f30b0

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    Filesize

    164KB

    MD5

    44b491719fbd0d86eacb994bc26856f3

    SHA1

    05ecbdf1ee436b470aad99f818c0a63eea9e9c64

    SHA256

    adb234ae7beaff35fc097d34fa9945664e6f9a7adf8e4a9df08870d0e58cbebe

    SHA512

    ae9daf64a509044a6626b34663b1aabffac2691979be89acf4ead6c96c2718d0e5a93615be9c7196029040ae7b91213a29958a94fdaf7a16673cc3ef8cf5314e

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    Filesize

    164KB

    MD5

    6cc97dedb3a7d66b056941585586a7a0

    SHA1

    ed2e52954cee865fac641a9624a364037eb319ea

    SHA256

    ea6836d626adb0394e97fa80350fe176d3031e7a870e38355e35877f6b0e4bf4

    SHA512

    722163a2c66f8cb7a8c3c79f47c753ba309c04e05f5aebda7124d150b27ff56c5b0c7c44b540dd20c7624081c7f83785586447b521f725acd1666f6ab4ff23ae

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    164KB

    MD5

    2dc496e7c9ac003c98a48e055d7f1c81

    SHA1

    575a4487e1375d442d397338b9b85842ae600bf3

    SHA256

    17d981aa8e1997b808ea60025037823d62cd3a8f270ba02b09457d20f82a4f7c

    SHA512

    90cdd020a4356d5039e1e4157942af45b4d2a188d3893ca75c39f4723c391a4767ee252a6b2f9c8d9cd99869df5692b4ca4e87f84d37e55a59c6e0dd89eb5988

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    164KB

    MD5

    e4ab1e77f7398c6cbd33560f710166a7

    SHA1

    92d9dbdd6747a6d3e37fbaabfc51e6cf09f72d3d

    SHA256

    3fc0b972218a62f4ae99aedfd189fc87428f1d72b9eef1719a7d2e163da77c55

    SHA512

    245889ebf2e407b1d85df869bf8aeaf6b666d00b7576ae12ac87520769a5eb568f053ef09929f48a7032eaa2c1a49f352bf22f18f8360c18bd71fc7c0920cc5c

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    164KB

    MD5

    e4ab1e77f7398c6cbd33560f710166a7

    SHA1

    92d9dbdd6747a6d3e37fbaabfc51e6cf09f72d3d

    SHA256

    3fc0b972218a62f4ae99aedfd189fc87428f1d72b9eef1719a7d2e163da77c55

    SHA512

    245889ebf2e407b1d85df869bf8aeaf6b666d00b7576ae12ac87520769a5eb568f053ef09929f48a7032eaa2c1a49f352bf22f18f8360c18bd71fc7c0920cc5c

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    164KB

    MD5

    299480b1fc771d362428eabe55a4c3ad

    SHA1

    b3fdd9b270f4461e18ee26ee91a64dc46e8ae266

    SHA256

    8f823e0e1cb14775d803250d7688ea29719b670a86b4d101f4168b77fdcc253c

    SHA512

    178fd45f91ca06e6cf2719fb051a18c7a99a5ca85c98714ef804c5765232641b662669ee7cba6d2bceac17545a51cdd26449c2ba0652ec0d2ccb108e2ee832d3

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    164KB

    MD5

    9e1f1dedf49f1c188bd4f8a2ec17b187

    SHA1

    51b077d0af1d8250868c72586275efabad0725d3

    SHA256

    6aec1beb40caaa3e700d63c03f07a5ce16f9f58a8a8879478bcdd1749d3a132c

    SHA512

    fc8eaa2425748b795bd96e4c9f7fab85c761d9ae3b6a994a40c62731ea20f40f542f170167c65b933414aac9cba8b369a60ae99287a0a5a5148d36d31fdaadee

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    164KB

    MD5

    9e1f1dedf49f1c188bd4f8a2ec17b187

    SHA1

    51b077d0af1d8250868c72586275efabad0725d3

    SHA256

    6aec1beb40caaa3e700d63c03f07a5ce16f9f58a8a8879478bcdd1749d3a132c

    SHA512

    fc8eaa2425748b795bd96e4c9f7fab85c761d9ae3b6a994a40c62731ea20f40f542f170167c65b933414aac9cba8b369a60ae99287a0a5a5148d36d31fdaadee

    Download Submit

  • C:\XK\Folder.htt
    Filesize

    640B

    MD5

    5d142e7978321fde49abd9a068b64d97

    SHA1

    70020fcf7f3d6dafb6c8cd7a55395196a487bef4

    SHA256

    fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

    SHA512

    2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

    Download Submit

  • C:\desktop.ini
    Filesize

    217B

    MD5

    c00d8433fe598abff197e690231531e0

    SHA1

    4f6b87a4327ff5343e9e87275d505b9f145a7e42

    SHA256

    52fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e

    SHA512

    a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1

    Download Submit