Analysis
-
max time kernel
38s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
06/01/2024, 20:31
General
-
Target
c4a207a1574ca79e8d9a58966442c3c3.exe
-
Size
91KB
-
MD5
c4a207a1574ca79e8d9a58966442c3c3
-
SHA1
739db52301aa8eb01f1f510379f5f6d3e31acbd7
-
SHA256
5de115e117fb951891688bd72562b5f28493feb7dc42ccbdb60bde7a6db43356
-
SHA512
ec05857fc1e15f92a08f927e2c2bc0b70fa632bad30047e0ccb5601f433b78f2f562fe8f524218fa98ba27ca3a55ba58587b1ffc7e4e9bdd1ea9901d7b212fe3
-
SSDEEP
1536:jRsjdEIUFC2p79OCnouy8VDLRsjdEIUFC2p79OCnouy8VDd:jOm9CshoutdLOm9Cshoutdd
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 6 IoCs
-
Modifies system executable filetype association 2 TTPs 13 IoCs
-
UPX packed file 39 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Drops file in System32 directory 6 IoCs
-
Drops file in Windows directory 2 IoCs
-
Modifies Control Panel 4 IoCs
-
Modifies registry class 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4a207a1574ca79e8d9a58966442c3c3.exe"C:\Users\Admin\AppData\Local\Temp\c4a207a1574ca79e8d9a58966442c3c3.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5ec3aa274abf4dc6162fc26ddb55b60f6
SHA1b57e325bd571f6d435dd5cd4b5275f07f0fe0f2e
SHA256af51a2235b6cb2341770928da92b3581956287d71e423858b85c431426aa04e0
SHA5122ebb083f47981372bc82dcefdf4ce6bd6af17190b6e704ffae59639bb94e670232d06ea5cb25586cbf32ce6d4b46a176afc3b1594adaf4166ed64d768730045f
-
Filesize
6KB
MD557fce24d1b4ab5063669d204c93db96a
SHA15c5ad7fd6dafd89aa031a4e4f7753a7add08642a
SHA256128c7b86af56b7b0a7dc8aeaf17d560ac312e7998036066ec783cbc857c95aec
SHA51255e8b6d6ec1b61b75694b7197ec99a1b5ae504e1e7b28965bbe96626b3ceefe2f3ad9602470dff4a2a7b7a76d60026f9e78ecc1f0856fc227c2e024de13ee1c9
-
Filesize
29KB
MD57995fcbd6126f671acd74861f0ee1c3b
SHA10e3eae8097b3ba0f550bb8a0c19cbc27559a1d89
SHA2566fbe5947fccd0b731dc6fc2fa91f4e518a3f2ddff043fbfe9f38016d4087fe6e
SHA5123ce6708b06d5ce4d16f7318b09bee4a13a183cedd5030f6069924136e72b5b5883b1521992042debee2c5a2badabd936cb867830d0055d24d8a0fdd3d2f4a453
-
Filesize
9KB
MD5c499863dd7a63a8b01e114068432d190
SHA1ae0d34669a55e45b0b03db9b075e566b0a9d3da5
SHA2565ad19ba64607dac7973bbcc6c9606e379f6bd63a606e429e9bccc42677c2edd0
SHA5126d6866f1ebc1957e969e219cd81e5ac5c43eda892f383860fb7585a41e8948d5f609a335a1c30f8cbf5d47c9ce80943aa5f5eec65261176f33152316ef35b1a1
-
Filesize
40KB
MD5f69648a4b83e2524e7482219095961ff
SHA1f583a77f31eebbdba8cfc1c4bb0282b1c2d88081
SHA256703e2c7ea7369459ac5383c2d1ddbba15a7df7a8cf63c9dbdc5edf948bdf6cf5
SHA512613f78c10dea424afd039845eae24b72ee967e860b45ffb129f2e81ee5d337ca61f6c49b1441e29918a5b0ab7602d6f6a4b16e2521bc0c800893e294e0a8a72b
-
Filesize
5KB
MD5d6e040eec77484519aa8417caee0309b
SHA1ca63e99c91ed9c11a6552aaea7d87b2fcc92fe10
SHA25634f9097e6bf50e5d417fa34ca17f4682daac1975905d3ae8e1f538a400ed15e8
SHA512ee29cf90f72f768eb5fa655ef2a20ab99e2b9b842efbe119f8f00beab686aa9388f595497085afba139e36ea4ef3ca67b9eb13e1d68ecf2e5f308394e6df4605
-
Filesize
22KB
MD59920a39f993728afea6146bf30b5d786
SHA197c83757e64e3774bde283b80cd193ac1beb3ed0
SHA2569a95862765ef471bee2af1350d946c7d3909b78376b07ac7065e9724c1033d9b
SHA51258769d6340bbfa91d7f203545f108adbc237297bd79257019cab409e86f93a121662247b884fa29828659c65af5f0bd813b3839686f428792238061ce408d586
-
Filesize
40KB
MD52d88835626b2140930ebf07b7ea807fc
SHA198edab921750d98d0adf661009c53e5ac6b35b59
SHA2565d90dc2e8df415c91e0754f4deb28601e0b24372488f2de48186876078974c0a
SHA5120450baf4599c4a98ee5e58f017e691d944337f6b13a04d47d0657218485c701fd551dc1ad8637dc36ed8143994457dd924b6bb6c846222dc828ce39a86e23607
-
Filesize
10KB
MD5f36087d3c3a1e89998d52543fab33a81
SHA170a040b009f2a3d34231fb4a87c234ef4f9b2128
SHA256c8ea5f32d4cb513f487af986eac3a02a2c3f2e43594bcacd51cb7872bc634f90
SHA5128947838d67e6936cee068ed7bafee7d16177ecb90dffa945109ed5cc98568fd1a3e7436e80d3094afbbab4cc4df873b2d71976ad0148095194ea5dbefdf2564a
-
Filesize
21KB
MD584b7657a0c7e057798f23f318ac28454
SHA18fdb0c3f07eb15bae06a5d48812e7c7076433fe8
SHA256062c8cf283a2935e0179cdfa02cae10b2711d3a5a6a51427e66efceec46fe314
SHA5127690939a69e01bdac6fa435bf4ae1e80eb922582765e88bea9853f04ae7197732d4e018cb750e24a2a729cdd166029c56294b5cf2ab89ca098ec4bcd22f63800
-
Filesize
22KB
MD5bc1d62aa91735e161b4ca16c156da2dc
SHA1fca63a8a5aac265cbf6dfef1c3758c58769b8da8
SHA256346d87c4afbdbc5bde8ce443a85d2e9b9b185fd07923e49b81ed77f0b6d71366
SHA51286a3b19acb22c6d2ad0ca4207c040354a493955ad98ffb211445ec714aeef7b2754bed8c3b7b7acfb6eaeecb5452e796c1fb4e4ef5f06a7f63118f32c25c0f6c
-
Filesize
29KB
MD5bae20e4ad1f676ea5d1c3d8bcd91a35f
SHA16624424e354675399ab30ee1850bdce7b580b7e9
SHA256637f373987729572785bd2df2ade682d31f3e7adacfc657c12f269063447c9a5
SHA512fc98e35321f4bed97d12cc89912ef10e7687ae1caa603f4cd4bc90801ef93c47302af46ce5607cd1deffa926ba43119bf42ea9eed5e01f50795353ae4198b41d
-
Filesize
1KB
MD53156cefc6423d1912091aa4f29098903
SHA19444f2122873eaaa2b81a6e861dd472a3e18900d
SHA256410060d76e08becddcea512df09f51ee43cf0468391a203d923099f498dcf573
SHA512fdfa038a603f0f12610182cc038aaa79effaba9ccc1000865c4418baf1574cb9fcbdac33b10e6dca9938057a3a89a7792fcffc13f1dc3ecefac7fbed2efc87bc
-
Filesize
12KB
MD501eb5603c41c005b88c96b00d9733043
SHA151b583083f1f03d86fbc502e5216f8088ed281ad
SHA25664b9f40e2b5f394f964b23a604c4c8ccba3706981836d0c4c017c0e1023ad0fb
SHA5126695cba344af720a9acf1415a0638e5388fb2cda3150b04d7cff3c3b8de289058e0abc3f595542ae831ec4270a9dd95363287a84606f7f8c35e6114f326ec30a
-
Filesize
12KB
MD5b374e446c253d0414faaa59dcef1d6a4
SHA1ef6cbaf173fa919377f125fdd3c5a45657828a1d
SHA25628fe9b6cab28093e792f5c06ae349a40d6165f941b00f1f462c7b298e4553626
SHA512186b45b49eed65524c86cc947686cfa604f85f1e05c656d2cf4dd51aa5f3163a35992a2fb8e16681c85640f525a2fdf152c6dd27631ff37db14384f1304eec6a
-
Filesize
18KB
MD5cc451f6d088d4db57adc15ad07acaa56
SHA14e9579976edd5182f5b3bd88d21123184750b342
SHA256b4e1758838fa7eadc8f48acea9d3f2988e6afc708ba059472053599d737a55e3
SHA51201bb9b1ca768e18aeff81d072abad709aa4b7a3d36539802c33baa77494e8dc446e4cdab6e6114514eaec8179d7daee4e146a3f1950a77c3065275bd45614356
-
Filesize
27KB
MD5fa3c0d22d5fe202ceaef9a777014537c
SHA1f45822e252c2ab501dfcd3d43e3d5f5267c4bec9
SHA2569c3d34b5341a79ffb9241d8f4dc1058928787f731233da511eaf0c5027e881fb
SHA512a8c7e7fdd2f97c5cf3dd58e4e82ac2f1b5b7933c95945cc44309cd0de8d266e49486ed8b236cc13ba4b588a780354c6208483f6ce263ee1006bf2868ca0f4c6d
-
Filesize
10KB
MD5dd384fb56496186d93ab922a60b1d025
SHA143dee3a2f5aaa129236ecd9ceca60531bd3bc0d7
SHA2563999f1169840c3a8c00462454a5063a99730714bbd4d2480a65df600c980ca8c
SHA512dbc0c8f86a3558bc97e5a869f3e83eb85c95c09fec5ee128e1da3ce9e6be28d073bb2c35604abc4d797174f3909b179b889a68851a2e523b4f3c58cbacde0ec9
-
Filesize
217B
MD5c00d8433fe598abff197e690231531e0
SHA14f6b87a4327ff5343e9e87275d505b9f145a7e42
SHA25652fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e
SHA512a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
188KB