Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
28-03-2024 19:13
General
-
Target
39a724fe218d31c5eff3d0bd957afbbad541ef09ba6ab6a2cd165f749c2b1dbe.exe
-
Size
302KB
-
MD5
2b3b6074ec5c2ad094af41b6faaa9d3d
-
SHA1
762314f063e3639bb9ceb98e3ce27af65e4d0db0
-
SHA256
39a724fe218d31c5eff3d0bd957afbbad541ef09ba6ab6a2cd165f749c2b1dbe
-
SHA512
f74a282a71d4f60e20c6c9f23a32fe5ecd56287f977d6fa925609f7b374ed1c0e3a969088dfc8dca09123782a0b722552c908f5a463e1f8a7f79c1adc6ef01c8
-
SSDEEP
6144:PeHwXUU5EYCTvaBjRjWrLJKuKnGML5NjcxP:PyMUusvalgg5NjaP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 12 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 3 IoCs
-
Modifies system executable filetype association 2 TTPs 2 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 42 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Modifies registry class 9 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\39a724fe218d31c5eff3d0bd957afbbad541ef09ba6ab6a2cd165f749c2b1dbe.exe"C:\Users\Admin\AppData\Local\Temp\39a724fe218d31c5eff3d0bd957afbbad541ef09ba6ab6a2cd165f749c2b1dbe.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\PUD5E7Q\service.exe"C:\Windows\PUD5E7Q\service.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\PUD5E7Q\smss.exe"C:\Windows\PUD5E7Q\smss.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\PUD5E7Q\system.exe"C:\Windows\PUD5E7Q\system.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 13803⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 13883⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 11563⤵
- Program crash
-
-
-
C:\Windows\PUD5E7Q\winlogon.exe"C:\Windows\PUD5E7Q\winlogon.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\lsass.exe"C:\Windows\lsass.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Sets file execution options in registry
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4560 -ip 45601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4560 -ip 45601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4560 -ip 45601⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
302KB
MD5ae6cfd77f7336265b96a0cbb87aec1c4
SHA135bd95788c9813d7cd3a668b09a0a9979683389a
SHA256dc5aebb3421a178978089540e11dc8f344acd5297c5373e22ff8b35712a43183
SHA512257238c9a3105ecb2892bd4b14c656ccb129420cbc65e94c418dbf6008306c798fa30fc268026d9bc652f4957b487b474d6359fdab25f0afb2cf2a714fe2ecef
-
Filesize
302KB
MD5ecda12a13394b439dab4dbb0a849dd64
SHA146fd4be745f644f9e49405f95dc984c3cd19b993
SHA256e5eed5d273ee07652afc54e5ee3d75f91a4f8f293eeabaebfbad785df3645758
SHA51277bbbe787b875424892164bbd5c1afee11af4211596c0c390a5425a4ad0aca98161608234f48aae21f2d234c5a9f9cbef6af2c62c4187d201e5780520a6e1684
-
Filesize
302KB
MD5db81fff5a6a3e5b1ea6614f2564566de
SHA17f89ebcbafa5f6dcc82fb873725cc990d5d18761
SHA25628a5ad3a298890e079b15551e3a03819d2663d910a07010eeca849929fdcaba2
SHA512725197b9f4cf81897a7ff130330cd0ca153d39c7fbd2726dfae67c15607f9409becd02d4b1ca2f238124da083a10dcd1ddcd549af4a32d2b66a208997413969a
-
Filesize
302KB
MD52c84475f1905134669c2b63508dbf69e
SHA1d3f4ae021a03cc9e0580b373d49d97e2c2b9cf39
SHA256867a91cc5aa50db568aec3b5c0e87884f8c308f056a7572e1e591fa01c134ccc
SHA512a0eba44c2124fd3e779bdee6b5b64eb3472c1a237cb77abb97aca8508c2f0e11b4af71263f164245e069024a97ed5dc497d5530a07ecefb89fb95051afd38e4a
-
Filesize
302KB
MD5b8ca39b0a4324ac5f96ebabddfc2bc37
SHA11ae8c0d56b8b4f7e176a589957c1e50a396a1db4
SHA25676c6b6afffb95df05e9d63b528c99de1b3f99a23437855ba1392cdf84372839d
SHA51255877e9ce46c56cdec751f561153c3a26dde7dbb59b765650ef8c5b64638a901e61dd5420b4b27d2fe558dff714da3ec3210cc681218a03cd8d30a557dd4d5f0
-
Filesize
302KB
MD5f60cb007f6c5c135a3b956e938c4fa2d
SHA17d27bc5a55890c5f68133783bede7ad999b4d906
SHA256a0fbc7bc2a99681527c171fe4b942a29fe540ffb501d0dbf9037d7e4db10383d
SHA512071b88bcaf9b71854f46667109a6a33b43e334b50ad2bb708ca13de768fdeda0ab9795c816ac13d151a003e6a8b636700d25d393cac8a0581e2563eb829372eb
-
Filesize
302KB
MD569aa7b0824033b395baa0f07ae853e8c
SHA1e47a1432f634a073ced82ef9b1777024d7003c26
SHA256dae081e2b54a9da84cffcddb26fbebdbcdac2609117dd4b14599588f6753e398
SHA5121b65b7d3cd6d628eb8b221fec8d65b1f8b2c97f8fc55b02e531ffff1d4b49f164044f7c379723dd57204d3334684b287ef1d65db23cba85f3704467963cb8d93
-
Filesize
302KB
MD5073b40dda46f88cd415cbf39aa88837a
SHA113b662777bc214916aea42a707ff538449fc3ba6
SHA25691460bb4852ef7a6223a00d85ffca94a70173ead773e5ce2064458e860ceee3e
SHA5124aa8125bd76f166ad9c2f02852373de84c71a97bf2bf4f5cb7d2abd8662d8bcbda6284deb59ff410c508410ba402f63210d0b0c7cbfa956edfe386c38fc86f3e
-
Filesize
302KB
MD566ba5030edec6082aa2d6619de8e3b78
SHA1e7c69fedf6abea94a645f4d310ef048f296d53ab
SHA256d0f190ce845b8fa57fd12eeaf83f5dd60943af46ccd7efe2d445bf07f91a73b4
SHA512a083663e4739f742add2ed511064db346aa41ea9973e2e14a8ae6a329ea969d72e722db9b77dfb03af237076562b23b204c13f1c4a3629de22bd00648e5b2bd3
-
Filesize
302KB
MD5a8990c55e45a53ba229c552d1e05c749
SHA19b718363d6210ce01919b6b57f93232c163f2756
SHA256b41d96c226208fcb048d5792924a52df25da65e7ac4d3e47bc37af1b0b21a806
SHA5128db74ce9d721d583c2ca8fbc703235c95aea750532df281c15ccb9e316fb74925f92eb581d803cf0fa990eac002e90b45febb37e9fe9989559de1f4000b749ed
-
Filesize
302KB
MD51f72904a41d27fdb67913cf5a7ba9fa5
SHA189531ad5af449c24c1e383d1a46970f2ec2d032e
SHA256fd27f79fef8e978c027b86f9d83dd1d29402dd63aeb6d523cf026e23fb9a0909
SHA512284e7e42b082a822a976ff58b4595735f27e036bcc28c21c361c7d6787f288d4d9edca5ed9dee45041056cd2bff3ba2421aa1f180cf695b33b67df7b6ee7b8b0
-
Filesize
302KB
MD53eb0ab99e5aaf5c0edb6d0729edd2b65
SHA1bdb43c93d8e63b6d59baafd5ff4f8fdd676f894a
SHA25612a1b5b4650fff1a30b4499a7ba3aa547771c2885fcd90d1a565823e8ee0ad25
SHA51246f18f1275f573c0f655f3080703ef245b725859d1ca166cdab2aa64a4c6c9d83161c8f1bcabc8d10d5bfebc9e82d8eefa94c7d7aea0662e06ae6917d5002a20
-
Filesize
302KB
MD5479d613cf233d6cbdbdc21015502a468
SHA17dd3b744ba27417bfa860ebab25e4c113f7eb849
SHA256f292f34f31ad6da9f3a5cd04d97044c29d19c4d0c0fd1cc13494ff9c1d64d0c0
SHA5128a528c2811680ac1d252191bbfe3716dd1f795c856efc84046fb0507c1d3c83c0087aa6d65023d11d5c8ab8cd5fc4adb38e8af928362b925777b1aee6fad0f8e
-
Filesize
302KB
MD530bc2edd7f2a4f3a5990e3dc38598313
SHA1e4eea56e88e0e095980769be7771c7c8b764b7d5
SHA256c3505a1aca93041e0129f455b2976467e9f9c096d232a6b1c96e9ce9468fa960
SHA512300b6ed4e2fa2ec84e0487443c6b793fb74d839933f752c0ee19766a5e32d7208fc8c4bb5c4967db2b6d64f62ab7bf362743a5be0663986aa8a093d1582d0e45
-
Filesize
302KB
MD59a11127fe17fdbf80f86fe2a6be6a396
SHA16b2f4fd4bf57af34275d13a9e6fab1e2638d7fa7
SHA256ffffb8d7a1509c07f716560f4d034b2340acec756b8e89c0dcc62d5cfe1cf127
SHA512159af6ae2bea62cb82079e64bcb77243f42897f073f0e5548968baa85341d4f1f143cafda8731e8d9f2fc9737d23c66f5913d4697438aee974e49151a0aaa336
-
Filesize
127B
MD5cf68e97b8eda3cef394699064d6064ef
SHA168cc41427b5e9389fb6177da9aa03bb3f1ab0ae1
SHA2563e3f42f6edc9033e374efdfeae3c55b0e46daa131bcc68ac433a399325ccd3c7
SHA512ac3783ee188ccd87b9027ccca57b7e3924a9a2a6050b246375694599d3d44e0c1c93f5adf84c277f970c0fd1fda7fb14132795a04b4e90f5c18cc9d5dd16d712
-
Filesize
141B
MD5fcaf13fbca22d6739d96781d4f5c66f2
SHA1c58af96f6a6405474f0c45c0f6d4745dd023e427
SHA256329eb08c36ddf4c765fc0d0edfeb424f2e51f2641812d26a8da56868348bd369
SHA512bce646e7058df4032107a24c2b1fac500797ca00fb21f680cb019273e2d13dba05f55e419581aca21ccf2a0007c7d574200bceda3c2c66811bfba402861c9758
-
Filesize
302KB
MD50f976c7a5ee2e890a77e336fad293666
SHA1028b43b5784de99522ab5d8e207197830bf82cfe
SHA256e1e2c4e0fa2c1d9fa2ebf0144e15401f11dd4c2bc7cf4dcc4994cadb49da7042
SHA51280612dc7a197d210d3e90d3830e10b10123ad04bd2ae20d807d1e330de3fd3a30f14804faf599fa0a1806ca3c50aa15404e103396e08b3359a8b87c194b1e9cb
-
Filesize
361KB
MD5743f8e737976b7b58abd2acf2f1082c6
SHA15b023c812e28f2b0cf442edc7cb558376c3a67c2
SHA256192d6a279fbc68fb01b483ea03197ec79e8b8289da57cd0f9aead7a6dbb4e7aa
SHA512342fcb283694c0fdfb348ccba711c5dc714cd93d875f1e997bc0e853017b80a0d836e2958eff8ece0717246c0781ba93508f4399530965cfa7e010a364129c34
-
Filesize
361KB
MD51e1e0ba48fa72dc5e7b482afd9d3a7e0
SHA12a930121ef6839a0905d253ddeae565b45a95782
SHA25694ca13a7007fb2c1db881f79c436a1b392e7a41ff8e126f5d3b4f32cfe2183c9
SHA51270e0886004a164817cad5829d588fda560527579842d4fed654a2bfbe2999e473aebd8f67ac733362c107c5c40245cbf58906e7934e6138e43ce630c850fcc7d
-
Filesize
361KB
MD526f2877dc2b09e2739d77e92503c4ea4
SHA1d5bf6af509884d16e6a11a5a3a3f57aa2de16d3c
SHA256423cd8275afe8a3fec35335df91322e6640822ff7e25445451cb924c334479e8
SHA512095f89ae79a3c5012c117c9ab07c1932b86ebf171efdb9ad7dd0709d3a8d48b6b9b2e74a1b1a0ccf96ac9ef415965b473dab2864cf3192149986342549511722
-
Filesize
302KB
MD55afa8c2252bf593b79ae91fad017e3c2
SHA102a0d886b09ba24ca340fb3eea02d238b1bbaeb3
SHA25644ab091bbc86edd28a199f33c4cfd41f0ebfd39424a458d934cfc10710cc866c
SHA5128212a13ec845d9e7cd61693438ee0fb6fb31244cba778c776d2a175d7e008d63eeb87fcb2388645992d568034235c1a56ff6c06279c5d476de348f909f77c6ee
-
Filesize
302KB
MD5e53d27d2fd4df6861012e0df990cb36f
SHA1d7d9d9d2e8904d8114ccf20af5f7215966de191a
SHA25679e8374d19bb9aa2173799d7c656ee3cc6e3e191aab8de51456e857a90bcba8a
SHA512e652d84b27d86f44fe239965ecd9a53050514e80a64ca2b10c1d51b050f0e760ead8496901edf7efae816d90df781ca61236bd02205ed8db4ee10288fecf7b6a
-
Filesize
302KB
MD5b7a2cf3b95a2271bd0d30b7216512477
SHA1ccaab585b54c59d9f484147c9cfe4f76abbd0c2a
SHA256a29d22e37bbb8f17299e8c59d87a720c8a377de0aecfc2c03277e14edeaf3e1c
SHA512f15823ff8931b0657949e0518ffd6ef88bfd3b752d863bbeb39a8bd3c495ac2b95a20a33e2e2d20c7bfc6bb9965b0e8312142e25e2a6208b99ea8c8691632180
-
Filesize
65KB
MD58e6e31f8df128a746ff9a3a38f8f78c0
SHA1e4da9aa336eb7e254592e585b29d8b4e23f3e4bd
SHA256dc33796b634ea14ed80a492257f698d103a57e1a041ccab92945efa8201a65f7
SHA512eddacadcb86d8ead42185af5ce779f35dcbf262b2e12dc1cb816c3c5e35563201a839b861eb4a2cda472a5a27b2dfb76a0310d6eb94b49e9d5b58af869ef22c6
-
Filesize
8KB
MD50e528d000aad58b255c1cf8fd0bb1089
SHA12445d2cc0921aea9ae53b8920d048d6537940ec6
SHA256c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae
SHA51289ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116
-
Filesize
1.4MB
MD512436a36db8c34408612ef20a9117495
SHA10c70db1f8ca9bc0d7dfd569cc4ab404c63015b9c
SHA256c3a9677bbffe69b3b6a85b1ff97ca0368dca85aa1d46fc4ed20cee5dfffa3f5f
SHA5124fa7c8040449d523f1317c1c2685a2f7070b0ca8611a06b3525a28c91ced810c3442646beaf0c6e3ffa2a9e21f812c14fc8c31b19a5cebb72105adad8843c2b5
-
Filesize
1.4MB
MD5d93921be0a8cc54b2914d59edda504ff
SHA161699b7bf5b7b3903ed8a99623367054f57a934a
SHA2562160e45f6bb10d3e3a8765ffc01b42dd6a68159abf14c1a8dea2602365bb002d
SHA5126dc0088e685920d63b7898a413d1351b37c5c431d02ffd04c3db42527ec09178641a94abefdaa2dd2a70792240d1caf25f943fe04ca4eb9556a52f9ed17e4a36
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
468KB