Overview

overview

10

Static

static

3

bde6b874d5...72.exe

windows7-x64

10

bde6b874d5...72.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2024, 09:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bde6b874d59e3f582a28cad6c4b0aa47e7bfcddd1609df1d3e55f365db9ff772.exe

  • Size

    91KB

  • MD5

    28471ec318a7e8792c3a81380d6237c3

  • SHA1

    3bdf63496de3b6c0ac7a7482907072cc0f643944

  • SHA256

    bde6b874d59e3f582a28cad6c4b0aa47e7bfcddd1609df1d3e55f365db9ff772

  • SHA512

    3d0834aa2f4842023d77c18b506bc07ab3eac9ca1200f9ae4aa9d5da916725db77e69b042aca1e249c5490e1c69df86bbae3a3acd1cc69b6ea23bffe5a46393c

  • SSDEEP

    768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3Imu/au23gRYjXbUeHORIQ:uT3OA3+KQsxfS4RvT3OA3+KQsxfS46

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 14 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\bde6b874d59e3f582a28cad6c4b0aa47e7bfcddd1609df1d3e55f365db9ff772.exe
    "C:\Users\Admin\AppData\Local\Temp\bde6b874d59e3f582a28cad6c4b0aa47e7bfcddd1609df1d3e55f365db9ff772.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:960
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2688
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3356
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1876
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:920
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:636
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1956
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5004
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3728
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4040
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:556
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1636
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2680
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4492
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    fd94d5ccab1d27e8e0e300b692e351bd

    SHA1

    24792fc5f7b842afd55b6a1702fa7c6ab60c34c3

    SHA256

    ba365287bf6a4500beca8fe4eb627f10b08590129678d9679ff53a95d92622b5

    SHA512

    b3dbf83e84b4bfdaef32474fc6c256b2e93dc27ea0238549a7448b9e3c6ae32d4f6c2af98278b56774220e9f742bffa22dad7db52f69235d394df35d16234813

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    d1ffa74ecdf3f591fffa2956fa242314

    SHA1

    3d98ab399e0a0eed7ca4659fc923a809ba15434e

    SHA256

    0a777599795324d1aeece551872662baff6893f436b1eb53e822d28e195e642e

    SHA512

    113734b2aef755556622a12b00b65041040b242d669604ac8c8c74f0c52b4fa6ffb058068094a85ae49454351ff9a8d13ac34a616f82fbefdddececcdf25f428

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    05468b55552bff4225b49e4a3174bc9d

    SHA1

    b060f4b09b6b2bfec2949c8a2a7ab5ac16b1e687

    SHA256

    1922ebb22845c8020d8d9e78552730cd592160e44aaef39a21d66c8bb68aff81

    SHA512

    1fc16589fbe0f3d2502883eb8a19e7034e25c040ee3869c94009cd5ce16e8687a52a8e2e661feb8cdc32eaa391f41284b146f1546fec8604e0fab944c42a349f

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    116954520348f4d8e7592a63f6bd89d1

    SHA1

    b7c01b79f56c4606ffa9f21cabc67068f99c0e4b

    SHA256

    967bb41a8a307839a69ff6d56e9f7bcae8a0a50289a2cf2a79cb430445bbbe87

    SHA512

    34d974863e56fb145b94dd46182a3e80123c476d00953b6275301ef7eb4189a11483a6640ecb3b6def7028fb135af98951d3a938f33bc2828490318f3d118528

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    384c9c1d087d121bccd4fb60bcc7a07b

    SHA1

    b77d3d2b4da36646427071f0b7c69fc823c3c09a

    SHA256

    0129d5968060c37e290a60b0bf3c5271a90c65f395b27f4bf3956fa14a3f78eb

    SHA512

    eec642e3e71175fffcd12d36260057cad9b2ede9b46a69724f32621624273bff62cc5f1e20238ff78b6e81e8b1ccb898f5e212cb07dc1b08c80c6832fb91f552

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    28471ec318a7e8792c3a81380d6237c3

    SHA1

    3bdf63496de3b6c0ac7a7482907072cc0f643944

    SHA256

    bde6b874d59e3f582a28cad6c4b0aa47e7bfcddd1609df1d3e55f365db9ff772

    SHA512

    3d0834aa2f4842023d77c18b506bc07ab3eac9ca1200f9ae4aa9d5da916725db77e69b042aca1e249c5490e1c69df86bbae3a3acd1cc69b6ea23bffe5a46393c

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    7a113a8d703e415cacebe43444fc211b

    SHA1

    6b49cfba3ba9e464bfb1a5ed52e3fffd512c23a5

    SHA256

    82de07d4233dd8520c0e601cd8659ea90c93ad583b165a2c6d0254872b16193a

    SHA512

    2311596693b36dfb9ac5a6933c8e0241934e31ab68208172f40d81c4809e54d47a7b1271b57d3fc13da62c02a816adf3bbbc18370d5fccefa091a3fd3134e39d

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    8a08b46ec403db032d383606a51f2598

    SHA1

    7a6876f5ea02fd7232d821c38b226e5d95ef83c1

    SHA256

    e5c6523b1527824b844e394bcaa26eec367b88758b06fd6e7cb6d509916aece5

    SHA512

    9b65f08454bf5b6c12e51ff1d2b839c03bc6597df6e7447aaaadd322300458d7c5b8e82507b491ef47d648ccf1a81c6c302edabbb6f2c1c12e41d23a79f1bc8c

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    f99ae1d98999fedeec2c55e6eb6306d7

    SHA1

    5562ef3cefb7508d81321a04fb3e5071235a8241

    SHA256

    faa2b62e77657968bfd884ee3a1e087c557156d3f073057b74f73b085fd169dd

    SHA512

    e61d8762293f3bb588246e2b64815b5b6c1a3dea18e012de52c87d0803252e615fa49418fcb1e38ea68fb19bcfb5eeee9036185ff7a4d45f555a0a23bd701f9e

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    e834d3fc46b6844dafbb1812f02da147

    SHA1

    2df9384789df944b5715247e84368c84d38985d0

    SHA256

    53ee2bfddd0de29a14bb9bc9466b36378d2812388111e2560a4254e6432cfbd8

    SHA512

    6bb74a077476499ff0e99bf7122a488f490dc259626a06aa5a49ab7c7f7ffbba148a28523b6258133f6bf0cb4c4ef52c656a0dfd7d571d2b5bdcce810ee34877

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    449593036ef8364907bb8ae487961d70

    SHA1

    094c493e8e953d695091f2b17dd77c9806189c3b

    SHA256

    0d38527e34f41e01e2d4b66ad64533712c63bcafb1de601c5cb4a705a6fae320

    SHA512

    09b0bbf67497205fd73331031f7757715d6783e012e49f2fd8ad38c57808fbf40a54922e3773352ed6b2a22ab3f286f05b951a84dd525d33c3029b38b524c50d

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    e47c5db351dc37b114ca80f21f012a99

    SHA1

    b1fa8fd5aa338bfcd57a28193f83546a02740646

    SHA256

    75c7d26c8b4e7f74e7cbd0c35372f19fafa3c50871018cfe86db2b67c187f1b1

    SHA512

    8839432347ec1377ccff4ca39a1002283be85208c948081dfa299f59b1d322b8398560ff9a7086aeaed781a294825d8d3324091e809bc3f609be9a7665ed5641

    Download Submit

  • memory/556-239-0x00000000756F0000-0x000000007584D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/636-199-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

    Download

  • memory/636-204-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/636-198-0x00000000756F0000-0x000000007584D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/920-142-0x00000000756F0000-0x000000007584D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/920-147-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/920-143-0x00000000001E0000-0x00000000001E4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/960-2-0x00000000756F0000-0x000000007584D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/960-298-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/960-141-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/960-3-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/960-4-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/960-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/960-0-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/960-277-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1636-251-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1636-247-0x00000000756F0000-0x000000007584D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1876-136-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1876-131-0x00000000001C0000-0x00000000001C4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1876-132-0x00000000756F0000-0x000000007584D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1876-137-0x00000000001C0000-0x00000000001C4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1956-206-0x00000000756F0000-0x000000007584D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1956-211-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1956-207-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2680-281-0x00000000001E0000-0x00000000001E4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2680-280-0x00000000756F0000-0x000000007584D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2680-285-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2688-114-0x00000000001C0000-0x00000000001C4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2688-112-0x00000000756F0000-0x000000007584D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2688-117-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3356-121-0x00000000756F0000-0x000000007584D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3356-124-0x00000000001C0000-0x00000000001C4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/3356-128-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3356-122-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3436-297-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3436-293-0x00000000756F0000-0x000000007584D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3728-228-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/3728-223-0x00000000756F0000-0x000000007584D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4040-231-0x00000000756F0000-0x000000007584D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4492-287-0x00000000756F0000-0x000000007584D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/5004-214-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/5004-216-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

    Download

  • memory/5004-215-0x00000000756F0000-0x000000007584D000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/5004-220-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download