Overview

overview

10

Static

static

10

ae9e7531e4...ce.exe

windows7-x64

10

ae9e7531e4...ce.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/04/2024, 01:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ae9e7531e4fd8f423474a6287803b1fc650bac0e95418df24bd6b439f6dcbace.exe

  • Size

    45KB

  • MD5

    a951ce4454e2dcd05bca6e055153f03a

  • SHA1

    11e7f89d287425b3c301d4979a2da0bd7902b41a

  • SHA256

    ae9e7531e4fd8f423474a6287803b1fc650bac0e95418df24bd6b439f6dcbace

  • SHA512

    532cef1746ba8780ff6453f648b0b46225fcf6f61537f312a0cf6c9bec51611fac2ffb8c86ede1678c70d13f17f057a4ccc4a0ad2f0a0bc16fc5361ce6a2ee06

  • SSDEEP

    768:ESxam3Usjr3Rf1aqStAjjydOunvvUCxoZ9xMcnbcuyD7UVOQI5nopS:ERsjdf1aM67v32Z9x5nouy8VTw

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UPX dump on OEP (original entry point) 24 IoCs
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae9e7531e4fd8f423474a6287803b1fc650bac0e95418df24bd6b439f6dcbace.exe
    "C:\Users\Admin\AppData\Local\Temp\ae9e7531e4fd8f423474a6287803b1fc650bac0e95418df24bd6b439f6dcbace.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1996
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1688
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2632
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2888
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1668
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1948
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2208
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1620

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\services.exe
          Filesize

          45KB

          MD5

          a951ce4454e2dcd05bca6e055153f03a

          SHA1

          11e7f89d287425b3c301d4979a2da0bd7902b41a

          SHA256

          ae9e7531e4fd8f423474a6287803b1fc650bac0e95418df24bd6b439f6dcbace

          SHA512

          532cef1746ba8780ff6453f648b0b46225fcf6f61537f312a0cf6c9bec51611fac2ffb8c86ede1678c70d13f17f057a4ccc4a0ad2f0a0bc16fc5361ce6a2ee06

          Download Submit

        • C:\Windows\xk.exe
          Filesize

          45KB

          MD5

          35db0f8ed6b6e58a4458210981132f82

          SHA1

          15dfd4551f2fe12483f51636f025fa686b50ea39

          SHA256

          cfe3c377a5b2b0209d123952b626ad856bf6dd6a87dcab6f4c74f6bd274e9e31

          SHA512

          af786f79669e67ecba534d05bcbbdb8322851228ace4d7f849dd610780647a36822b7e672b27102774731c497a18ba9f74d1ad302c09ad394f863a1f64aee3e7

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
          Filesize

          45KB

          MD5

          cd89f46cf5f38c0e1c3062f38773110e

          SHA1

          9292b1eb11bf03a94fea76caac02fb4b7ee1f344

          SHA256

          9849750d9a5092e093595d63811115cbb6dd843230d819b8bf04a6a1e7beded0

          SHA512

          f9043122fda84b7106cc1d51d51d621fdfc1a59a8d7e8ade78aeb9403cb91a256618d753444e7b5ffa46eede38973863d3e4819f3d6f032128da1d99cb8c7c80

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
          Filesize

          45KB

          MD5

          cc1412ec80c46e72940932c5ee623972

          SHA1

          49cf60c67623a1d537710f1956e8f2a059a8c2c3

          SHA256

          e38a3ce46075201a306c920243f69314b8cc552fb87466617fb83d67888e9963

          SHA512

          fd9d6e41b02d33dcb4a00f373443ea0d6925bd9272098707874dac110050fe7d06eb09b3c1dfa4fd21a9d5bebf87bde1380eeb58af7e555246e6405b9184359a

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
          Filesize

          45KB

          MD5

          06e170605dd615e10916b93d9938d078

          SHA1

          5c1ec0dccc620823de028464522fe96e8689c2a0

          SHA256

          72f313a935f8486467786f4852edc56896029ba599271ae378616daf70d53553

          SHA512

          2eb5b68c3cf73564410b42a5fed9b24bf2183dbdbd2b8fcf0839c8494c27e59c3199186996f9f1d657dfe0e1a143a6324bea8e75159b7f6e499c0c6313b1f684

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
          Filesize

          45KB

          MD5

          6e1359cdb256129bf6e1639711b6d9cc

          SHA1

          0b6e237a95b697c5937831e9eee7101c65219e79

          SHA256

          40cc0771823fcdce7191ef1d86d5abd981f899f94de68001d9349cc904a4acc9

          SHA512

          82ab9eda13e32962f6242be8d8899797cebae62c960642432f397a5ed8dca0a1f506aa7efc7b67b44be48f5f9b0bb53be1e0c95eeacc0a560ecd0eaaa9ff7970

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
          Filesize

          45KB

          MD5

          75258b5a1d5fe7232557fec4be3b602f

          SHA1

          7763fe2c813b6e1f9f0aa67bb3f66eeff94c8f74

          SHA256

          a7bf2fadae47b905da2da7ac0b161407ca213b12ad16b6f169a8c7bea7d7c2ff

          SHA512

          487cb2792fa0dd2d198735df56c3e3ade2334411a9d317c1dee645d44c1d6ab46061775201a422dba32e173b1cc977508b70743f8aa8ec6e1e6e99d4ddee5912

          Download Submit

        • \Windows\SysWOW64\IExplorer.exe
          Filesize

          45KB

          MD5

          38c0e0efb35cb1b5e9c4a960db926888

          SHA1

          095cdc4ed91bdd9a8cbdc06cea3645d4cdcdc0a8

          SHA256

          863e40a33e31f380d2e4f889a489483c3cee3ad002ff0f337a57713ed9c5f1b3

          SHA512

          8715c82664c49a2514a92470abf914e4c42f0de601cce7f71b8d808cdef376ae7e83255ebbae8a32b7dab99725a2a7bf66be4e2d777c43e2feb3fdd89ca8c4c6

          Download Submit

        • memory/1620-180-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1668-147-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1688-111-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1688-114-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1948-158-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1948-155-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1996-121-0x0000000001DF0000-0x0000000001E1F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1996-134-0x0000000001DF0000-0x0000000001E1F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1996-144-0x0000000001DF0000-0x0000000001E1F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1996-0-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1996-116-0x0000000001DF0000-0x0000000001E1F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1996-177-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1996-181-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1996-109-0x0000000001DF0000-0x0000000001E1F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2208-166-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2208-170-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2632-125-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2888-136-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download