Analysis

  • max time kernel
    82s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-03-2024 01:12

General

  • Target

    d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe

  • Size

    196KB

  • MD5

    80d765bf7ac04c4607cacf0754b73178

  • SHA1

    a2a91440be0fd6d4f316553926bcda919032b776

  • SHA256

    d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea

  • SHA512

    e0a09385f64e0ac27c3d894f7bf4d3ed5f115265c1b23fd7ac2166ec4023402abcca1b3dd499a68ee59b31331ede66fec50331eb88ac7427a820bd0bb7b297b9

  • SSDEEP

    3072:ZOgUXoutNzxZVX4/awxfodLJUBv9Bsor1rHjhMU9npQQpmuG:ZFYoSJRARoYlld9n2Qpmx

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UPX dump on OEP (original entry point) 31 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 14 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • UPX packed file 31 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe
    "C:\Users\Admin\AppData\Local\Temp\d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3392
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3416
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4848
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1652
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1472
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4752
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:688
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2484
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3688
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2948
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3856
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4704
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:220
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4288
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    196KB

    MD5

    cb36ccbd5f4c4991948112a9fe95fba3

    SHA1

    d7c088407eafd663320f883306f29742c305f0cd

    SHA256

    f103f5beedd95b19f5c4c812a4a8e6efea6fb151187ac188e032d44e457544b2

    SHA512

    8706897ad2fe36390c102dd75ebb26caa163b819320ade7e322c2ab0c17037ce0a14bc7633d8625dd87185fb27763fdabd6ea9acf161efd5de31deaff0f0a7a0

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    196KB

    MD5

    ba24778a2aeba87659528db0af6dca0e

    SHA1

    5f26cbb9be4e7f88bb05d9738e05d2e0ae9ddaa6

    SHA256

    6a6c7fc5e45ed5d9bf1d8b7bfdc475c7b11708f55bca0ff2fcbf2009bba67459

    SHA512

    873d941e62fde2f4a0a58b5e613ee5c800e38c479e262e08cade22321d67d49410be748a13374f0ae7bc198464bc15849ecbc5c69365325397a571d73070daa7

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    196KB

    MD5

    87a048082bd5ac5725f5e406d83506ee

    SHA1

    d9da3e63a3d4fb35cf3e5b8962f59e9891c20659

    SHA256

    a07b6658c4ebc690857912b474fecbe5f63ad4598e0cf42c5e470ffb93abd80d

    SHA512

    42416b3dc65fd9a083967858544a119e00c33a37e7250fd51c4db9995e9d55a8d0e602211541b6a3fa438907c6d8251c58744caaa3c81f3ad230278ba5c4a9c1

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    196KB

    MD5

    bfd927fce2f1be80eebd4428e2c3e980

    SHA1

    275187965ab3fb9c27e5bec226ee1776a92eb0f3

    SHA256

    b648ba1898b9daac4fbf4f1eac7cc6bfc7bb6ee95471e4d3ae2e7fed0040d226

    SHA512

    4e3fb589af6a1bdb3092d285f37d0b043bd3eabd470385668e1322c7e8392689cbac8631181c0bf73e1ce64992a3008d9acf4a42fe2e39b4d42733b104f3ffc3

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    196KB

    MD5

    80d765bf7ac04c4607cacf0754b73178

    SHA1

    a2a91440be0fd6d4f316553926bcda919032b776

    SHA256

    d0b0e88ab222105f1e5235625f39e99d1a49f135cc2a69e2dbfba6ac049f4dea

    SHA512

    e0a09385f64e0ac27c3d894f7bf4d3ed5f115265c1b23fd7ac2166ec4023402abcca1b3dd499a68ee59b31331ede66fec50331eb88ac7427a820bd0bb7b297b9

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

    Filesize

    196KB

    MD5

    0b6befa0b2f71d21b36dfbb77f5c9b5d

    SHA1

    8478c381c2ae47a6f7fdb6a99d20c82abebe2bce

    SHA256

    4a959b568e7d886196a8cc2cb6fcfc68237d0941368d1de82c089275dbe06939

    SHA512

    65b44e7284bd70a862392151702f50562b9c7173724c8531599730b328f561994caf9586fb893576535ea83bbc4a05947cfcfe883451ff85c4bd0764d8f43474

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

    Filesize

    196KB

    MD5

    c53cc9d54244417c1e39d1da16800719

    SHA1

    88303c6204f4f44e1622f6a19e5df4988076475c

    SHA256

    f64ecb1d2278a1f934ba5e0a35606c503d6aa3911108df162a316e907e13a3d2

    SHA512

    788d2b68dd4ddeb99d6f54975aeb6996c2241b1a65dd812bb0ea6c8373793b9561d2823784264454b7e0f4de184ce82b0be3e0e9676df1bc310c118c234b633b

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    196KB

    MD5

    264add4cbbac39d4a43e53f1b2a44024

    SHA1

    1b0624af52094966a70530f3bc8c707b7ebb7ac7

    SHA256

    33a91d839594579a993a2b95302273ccfad1271023ece8bbe059d21ac17721a1

    SHA512

    c47036e94952f0716bf3cb182fcc8858f3c46809d25de1a2a10692a63a3fe51a679d23e1716c98d00a697faa3c962060eaa87809b3d7852397ee23d2feaa800f

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    196KB

    MD5

    4104fc40a610b8a94a90fd54f95bac7d

    SHA1

    7503f1d46267b335916ca5b324473fe895a28217

    SHA256

    1b5bfafdd46f6b2caefada3389232c574af0eb10a8ac1b2105ed213ff12ba853

    SHA512

    cf86727c7d12802e6f6e7706772011ce845d1bb9f131df55b132faccf777c00750bb1a29620fca90978bc7f6741be45e9a4acf8cc0afadd7adad2115e5f1648a

  • C:\Windows\xk.exe

    Filesize

    196KB

    MD5

    ae19ea68fa7ffce267ed420a1a33164a

    SHA1

    b59539dc7497f63aa3dd8ac961c29b2d39c8b0e2

    SHA256

    ce2217063b1d9f0cd2587a489e6c4eae1988ebc5ede7a8b5a7a45f20ea098e9e

    SHA512

    b64a768aae28cc2fa453bef73eb76d482b5f674b628699e46cf8757cb59373c19340c529aa80e39da6a088d69e2d70aa2a81b076b495e64290d49b58f574c638

  • C:\Windows\xk.exe

    Filesize

    196KB

    MD5

    33989d5888f63fe75248ba9238fb25fd

    SHA1

    bea98c9e0bf6ba2a817893d298a6b91c3c91b421

    SHA256

    2c2cebd4f826831e4b70f43dfa58148235455023c90fba7cc4ebbd455b2a6ee2

    SHA512

    e9c0cd0fb7b8663c53f93ca60c9c625c30052897ca77517f188a5fe93df0ad476a3a54b249b7c300fb7bbd2dc7f0eeccc3576ac33b984a5ec662a29656ced8d9

  • memory/220-248-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/688-188-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1472-180-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1652-135-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1672-256-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2484-194-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2948-206-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3392-210-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3392-257-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3392-239-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3392-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3416-111-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3416-108-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3688-200-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3856-213-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4288-253-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4704-244-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4752-183-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4848-115-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4848-118-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB