Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-03-2024 17:47

General

  • Target

    194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe

  • Size

    45KB

  • MD5

    270d7de5001bf0d43984acf26637694d

  • SHA1

    3648776149b5fd2408e9bb9eef9eac5da096e034

  • SHA256

    194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e

  • SHA512

    2268ff8fef0b42cbbcc0cabada31e3cc64387b9128055d0d3491734dcdec3b18caa4463626de63ce52cf35c4c22eed2bd18810b8fda61ec82550ac24608bc758

  • SSDEEP

    768:kSxam3Usjr3RT594UPS8GGCMDDxW738HbFtnbcuyD7UVOQI5noC:kRsjd3GR2Dxy387Lnouy8VTC

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UPX dump on OEP (original entry point) 33 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 14 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • UPX packed file 33 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe
    "C:\Users\Admin\AppData\Local\Temp\194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:5000
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3004
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1148
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:536
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1636
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3220
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3584
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3804
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3800
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2376
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2964
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2128
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4016
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3428
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    45KB

    MD5

    f5f0b2d8f7def93777d833b4a6c44ced

    SHA1

    cd05f8aaca09a8b4174fd3443f3f96869c937761

    SHA256

    de532d17e9c232c6c66b6cfd7bb2474226dc3bd07d90e9c67cb9039f31a83ceb

    SHA512

    2a7f72fc1d6593dc43e93b8d5720d73cdee79ac33349f51a244257a95cfd155254bd21312ef57ddb29c13865714f27e447f3f8ba89d5b7e0efab21ff9a124417

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    45KB

    MD5

    667c2301ff47cfacd47fdc6c1da8a12f

    SHA1

    e8ccff577a4f06c3b32e4a0249b9818524f09e42

    SHA256

    1997f7457808108f20789454985bfdabcbb9376d8c53364f7dc47fd0b025ceee

    SHA512

    241f160a4fe78be635d31c230203b5b74e270d63e638a8071ad8a2ac05c482b467d27e537f2721bc8ab5062242f45698545aca711df310c4861835e7f3c81c17

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    45KB

    MD5

    dd0b6b1294997d60640fdec2dce59e01

    SHA1

    43b454d7f00ccf1a4027482edb7694175a1793f6

    SHA256

    1c65f8e5f34a48392c516f36280d60085a4579735c16076e5f3995ffbaa2b1bb

    SHA512

    76d7d0166aee54c0270e17d27a20f0a456702dc28f9a42eb4b6406391329eb15913f4b641e3c396c70081d7f3e3bbf082e96bfb6fb72e7fd3d8b8d88bc0cf69f

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    45KB

    MD5

    e235f7736e00d67d4783d4e7865abf15

    SHA1

    9302315deb10092c887cf039245fef8af935403d

    SHA256

    7fbcba09c110a83697af7e80cf5eb0ee1c26132a2bdd7ee4e22c436600b56912

    SHA512

    a6eef963f96c6530a57ff107819315477d5ff7b2084b0c226c6be42a7aadf7668689abc63422e23dd04c2704c034ab48706f169c96d7ae5502a67263873f735e

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    45KB

    MD5

    e6713f4db7ddb80ad17db8c49c703353

    SHA1

    326f36af0bee25b2b808e957ad78b85f291882a7

    SHA256

    2cfa3b634ad1f83821f2a27ebf1c03e8f46e23af242dd55d5a914a8e783339f8

    SHA512

    e24b599266850a7acb481fc8d91d22e190f471354f604fe8393c29330ad65d9409c03756c65c7ccf2089418bc06e7467205d3b2aa3944c623a473086dc48d003

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    45KB

    MD5

    78a5e4e8963c6a13dd64522f238a81cc

    SHA1

    2b113cab08c692e2ef8023e5f5e1043d5207cb48

    SHA256

    07f447f5e44279cc9e4ed87c17356c7c4b745b87d82b3a7e7c737c30e06208f1

    SHA512

    eb7231bfbea018c5cfc406684ec6aa8b34d70772091ce2ad9857458bfc4afb965a057dfea023b7fb3c8e95a466605777200145167c56739e0ff7b3470c3e9484

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    45KB

    MD5

    b1e5945c8e39f8e2d843d597f6a669da

    SHA1

    7b7cbf8d69e96883fde4cfb3ad06f2f4c7946ffa

    SHA256

    0e7d479782aa2c9f05ebbcf2f0912bc6ae0d75ce4a225481d2035624f378f53d

    SHA512

    d6b0459459b02a6439c09ef817096756e8869d965160073b8e8f517004a46142d9675b4e1195065029e732cfffbf907f81463933d839439406735c37cba2251a

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    45KB

    MD5

    b8ab07210ff5437f105c6c82cd3bd78f

    SHA1

    ab5d6c99aa966bb992e37fa8ee57a3dcbd4df3a7

    SHA256

    17fd18ce4c23b7d3542b4296a4a2414dfc84aab8d22962adca703dda91cd1d55

    SHA512

    2023b1ce8d82dfe9dd87ea534103b3b31157eb61de0c77ceb0f4a322e1b163b8abf9f5a4b5cbc79a453c419fcc368b75c93d8f959f371edb9736d9a3ee191f35

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    45KB

    MD5

    270d7de5001bf0d43984acf26637694d

    SHA1

    3648776149b5fd2408e9bb9eef9eac5da096e034

    SHA256

    194e64992e46b5eb1ab20bf76fef7bf98ffc1ac2d58c0b1a8772aac6b7cc257e

    SHA512

    2268ff8fef0b42cbbcc0cabada31e3cc64387b9128055d0d3491734dcdec3b18caa4463626de63ce52cf35c4c22eed2bd18810b8fda61ec82550ac24608bc758

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    45KB

    MD5

    daf6018e8ee62f0a018bcda2507d580a

    SHA1

    6ac524899f36d9a676f9a3ffe32017ee2f93500d

    SHA256

    64289aa8ad5f8b81c8a1c3c497243729bd41eb90108545f4a3571088d9e18751

    SHA512

    3ce7b8b635f1d69294ee9e7aaa1455cd7b85f3b2a6bfa51d3d8c0147096dcfd7e131b00057d4e0bbe9dc2a1dd74d493ec5db4fbb711e0273668dccf5772c0fc2

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    45KB

    MD5

    f43b682fced6f63da05ddde9684fe5af

    SHA1

    2888e84d29238591c7c22578a03cd4f07939451d

    SHA256

    80033b413e9701d4d73497e3c5316d1bb81f164e16cd6b0024e3270371801c1e

    SHA512

    f5bf89c3b263ecb0726380615d85d65f632a11a7c5d3737f40f3446bdace681097343292a37d7dcf971a4e1002b472387462b84787a949c696258c16ce5e4e9d

  • C:\Windows\xk.exe

    Filesize

    45KB

    MD5

    4a2ff7f3d8b3cdc94ca5aa9b165d13cf

    SHA1

    a7ed631f2d71c64dc64579425962edb83052afed

    SHA256

    a9f67ec39319b42802e9309df3d386ab2c915968693de31751720a04e40ee4f2

    SHA512

    930c45f626e167e92eb04d72f1e520d013895386391783d9a7a5c9d76e3d6f3e366b2c1e8dc992df0c5510fd44684e6fbf4e33d8ac248581f550fd1f5bdd920a

  • C:\Windows\xk.exe

    Filesize

    45KB

    MD5

    4a1c433679b2b2e7de3b54a7192f320a

    SHA1

    6c1abee3b38c8f5bd38adcd269664e262153b7fd

    SHA256

    6e7c68fbb5a1126b3a386784b042dcd6889232df8e1da3ded6987585f1ce8e55

    SHA512

    4477f3981b8332048a7f6419aefbf163058bb7fd660a153da922f17e941487a21975696df4c5b4302fe8c9669d7f0d9ef2a49cceb7c072b81d297c7f338fe758

  • memory/536-123-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1148-114-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1148-117-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1636-131-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2128-215-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2376-203-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2376-200-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2576-256-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2964-209-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3004-112-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3220-136-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3428-252-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3584-189-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3800-197-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3804-192-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4016-221-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/5000-206-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/5000-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/5000-247-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/5000-257-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB