Overview

overview

10

Static

static

3

2260cf8612...2b.exe

windows7-x64

10

2260cf8612...2b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-04-2024 19:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe

  • Size

    292KB

  • MD5

    b3574ad7351c0db4e2be4bfaea711991

  • SHA1

    88f6c171d47c5727002e4dc13a0576b24f2294a7

  • SHA256

    2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b

  • SHA512

    a23eb2c3443f75ea9152d173a13e68bc13f9a4eeea1d0bc124ae7fa661651085ce5fb0826e81ed23122019280acdb89d1b2741b762ccc5a594665379e4453800

  • SSDEEP

    3072:vh1BTKDPZ8y9nd9SIb40UXEfhEYbzPCTVZR3AWijGLMoaqD3:5Tw9UU5EYCTvaBjuT

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Sets file execution options in registry 2 TTPs 6 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 8 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 35 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe
    "C:\Users\Admin\AppData\Local\Temp\2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Windows\GLS1T4H\service.exe
      "C:\Windows\GLS1T4H\service.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2780
    • C:\Windows\GLS1T4H\smss.exe
      "C:\Windows\GLS1T4H\smss.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:2704
    • C:\Windows\GLS1T4H\system.exe
      "C:\Windows\GLS1T4H\system.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Sets file execution options in registry
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2512
    • C:\Windows\GLS1T4H\winlogon.exe
      "C:\Windows\GLS1T4H\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:2928
    • C:\Windows\lsass.exe
      "C:\Windows\lsass.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:1268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\GLS1T4H\FIF5J2C.com
    Filesize

    292KB

    MD5

    d89ed0297d535384d54f90d131726af8

    SHA1

    69fa30ef4cd20157a2b57eff203d0cdb4ffba0a8

    SHA256

    4b5378f123cfaf6aa936ebcc4e3b1f6dcd3229779832fda6071bb8e0a7ff2c97

    SHA512

    03bfaef31a264bf1d677c962e38713538e0945952d8df75a7d89a72c7069683c4aa65ef074cc5b3c39601b3d2d65609751e27ec6a8b5bb99ab2a9af1138d0aa3

    Download Submit

  • C:\Windows\GLS1T4H\FIF5J2C.com
    Filesize

    292KB

    MD5

    5c946509a8b4d85f5cb0889f3d447fa8

    SHA1

    3a9647f078ab8eb7a06789c219a3f6ae074e0628

    SHA256

    784523d9e84f2a9184f1714e47fcc83b2604ccd6cdbfce96d5ddae2ed223b46a

    SHA512

    9080818209289d1b78ef477f59dc42316386d1369501fde17143ebf84f5ac79836a08531f9e7e9cbbda1e30984cc5ee0c5e318b1ba43d3afd16430816f4f0279

    Download Submit

  • C:\Windows\GLS1T4H\FIF5J2C.com
    Filesize

    292KB

    MD5

    47e3d86f40d2e7741365c92778ed9bf2

    SHA1

    96ff20a6212334352579c15694ec4a920327ff9f

    SHA256

    337c6e003b30340ad304358533cb4c182c07225372f9a28154d5d8cb5b000a8b

    SHA512

    f4031600c9f59f81036d5ab200d934c9843e6838a0ba103791deafdd2d5c451f6698380c2e55c78271b5fcabcc7432b9bfe79e1577dc8d2afa44973ffb932382

    Download Submit

  • C:\Windows\GLS1T4H\PHN3X1H.exe
    Filesize

    292KB

    MD5

    ef59b9070a8c9a099901d33d05b388f1

    SHA1

    fdde1ece6f6793ae0e1c54c8c6e50d23ae00803a

    SHA256

    98abd73ce7c83116675802f35477d45839d1c0f3444e38c4d0a2a56c115f0ecf

    SHA512

    a53ea1ab5ed755e8d44ce0b010a1daa465887e9fc58ce17b4d0266a033ceae55111bf06f99235d2a01632d033b39cccebdecb59474c11e5f30174c3a872d9ed5

    Download Submit

  • C:\Windows\GLS1T4H\regedit.cmd
    Filesize

    292KB

    MD5

    36b1a0f7f997286a83979783efa5d6f9

    SHA1

    19592bb0faa3ada8c00a24152f78f65e29e7be6b

    SHA256

    a25a8abedd79bd519d3fa773085021c757470a1b6970e28384fa9686c26e08c3

    SHA512

    f8f64be79ad68b77a159c394af6f37765262c1cb3a58bf4c3eb85a35cb93a3f7216ec0690258ca91902a539ca34eb70a1bc9b0bc3db654df7a65ef110475538d

    Download Submit

  • C:\Windows\GLS1T4H\service.exe
    Filesize

    292KB

    MD5

    da2e9f3600e556510962d6ec66bac675

    SHA1

    bab75d07463dfcc78750e7aa78ee674000c7fa27

    SHA256

    9cf452ad9cfbed78e669535a0c1a3a58ee0d24a822d671a16f7a7c0200bb4e63

    SHA512

    e1be7444077ef4d213e85502e4b366d53b032aee29099573c622d7a8903c0b8ada4a2806b69ee59cb838a731a283c24a595f078dee26cff050b7fbafc8ff574b

    Download Submit

  • C:\Windows\GLS1T4H\smss.exe
    Filesize

    292KB

    MD5

    ea97538e4fc1d36402ce49ca18d23003

    SHA1

    a20878d13efd4ac200b2e1350b73422973d40701

    SHA256

    83807124ffa2a7f9f705aafe9b15344ac0cd2191159b0928f230cdd32649b615

    SHA512

    3084aec8175a7e8f5289993f9e0fe992c059f6a4acc32cc7d3c896b924dbabd3a9c6f208fa2cce52200b74d3516f216058b7f6a03079db504c9a530a0bb64d0b

    Download Submit

  • C:\Windows\GLS1T4H\system.exe
    Filesize

    292KB

    MD5

    c107c811d5d928fd7595d813b990b3a5

    SHA1

    ec8d2cb04c15f0800fad2be907c6ab64c60bd4e0

    SHA256

    8433df15dcead8409b16e9aee3a4314a9b61e0f73fb1c9dcc309767e570d562c

    SHA512

    7fc102f29beab77121c6b199fd242b014ad160ccab2c16bf1494ee26701ede8847f3c81ff5dd3881e314b1ec86223b30edcafd25a6aaea9a575b25f3d4edaecd

    Download Submit

  • C:\Windows\GLS1T4H\winlogon.exe
    Filesize

    292KB

    MD5

    c46a7a2f413e33b0e0f4ae84ffc6be70

    SHA1

    a73e74ae3b4a58a40dc62e5a6ddc6d519369dfdc

    SHA256

    349267fb1d5886d70ea4ca3bceb2e2922c56fd88ddb3de302e4c48e56f251b5c

    SHA512

    61d10caf428254fc4721676234f8eee0ef3a066a365107dd4ab2916ee1935e03456e61293a8b3b8b5b80bc051015ccf6cfa5168e486fd53f3be177be2362de68

    Download Submit

  • C:\Windows\IKU4F6L.exe
    Filesize

    292KB

    MD5

    178663be8cc4ddad60fa2010d762f6b7

    SHA1

    2501e35e24ebd3e7658b9306206e8495b5472390

    SHA256

    80046e07e9cfdf986ee2fc0ffe446e508d23152b6ac55015f0eb5ff4036c494c

    SHA512

    dc9b4179b4643099bf70adacaa2867517a8733816021e6ef5dcde0eb88e7dfbc6d0d03c2e69d27f6de43aae934c29bc6ae1fd39dedbea53361bef47af5bc568e

    Download Submit

  • C:\Windows\IKU4F6L.exe
    Filesize

    292KB

    MD5

    2321a92d4a91cc889e3a5fe684a6f4b1

    SHA1

    9a56bb3346fc1ccdfe66fa9f93232e455e3294e7

    SHA256

    39245065c5321b8953c49237e77d602d597aefe2c06b5c238a908637ac95f79b

    SHA512

    2fe6e8916a51dd8081a55de0a4388a7be50f0406998e3ed5a06c848816a58b1c07b0d3c457fd4532480e2902253fd55c3004a49f91a56125204b3ba2a0a8df77

    Download Submit

  • C:\Windows\IKU4F6L.exe
    Filesize

    292KB

    MD5

    6e3a1534a89bb6283514e384057b2a26

    SHA1

    5f986f25c877c8306ee3fc6c6a7f07c243d14606

    SHA256

    58c05231780c841589a7d8ffeaa4aaa4a0f09ee40b9bf2c96a1abdeaa5049c6e

    SHA512

    3ad5f72377a58600787b8faec80d09824c92bfa71be6c4a837335a467b4c074810dc4b5c73c0b36bb339a4e75e5a84d90ad0fa8c6835cecb66007387b1cd5456

    Download Submit

  • C:\Windows\NSE8X8V.exe
    Filesize

    292KB

    MD5

    42894be34ff69f25819253ee6ab067bf

    SHA1

    9cf3ea7b72c389fcbc7eb11e014f05499c717abb

    SHA256

    fb48ec1656954269396c211d8f22a0ea8e817eabc8afca71f7d3692b87d5f71f

    SHA512

    88b457b0994df8261fa94821c87d504f9119c45e75f88dfc6f7bfb2feb758442d9e657307d698c4b87226f022657f00f6cc2bac0ad4f58edc6f1c027c5b0a713

    Download Submit

  • C:\Windows\NSE8X8V.exe
    Filesize

    292KB

    MD5

    8c42d003132e8397ded9fc1748a43624

    SHA1

    4a0ad042e3e6c5c3ab6ceab51db0047f57b84f51

    SHA256

    4c3c6158549f8f0d07a19ecea7e806e474bb5f456570da1d337cebe8962477de

    SHA512

    1a098dc1bccdb8372fd039ba2eb6d14e514ed65a0ce51ee09e3b1d85ad39da91300a585853ea3e689e18112bbcec38656087da7d359d434d97d77ba543b0e001

    Download Submit

  • C:\Windows\SysWOW64\JYC5G6P\RMK0R5N.cmd
    Filesize

    292KB

    MD5

    b3574ad7351c0db4e2be4bfaea711991

    SHA1

    88f6c171d47c5727002e4dc13a0576b24f2294a7

    SHA256

    2260cf8612c558b5d7169cd9a6fbfb4edf669e9a9147e863cf3a98711988bd2b

    SHA512

    a23eb2c3443f75ea9152d173a13e68bc13f9a4eeea1d0bc124ae7fa661651085ce5fb0826e81ed23122019280acdb89d1b2741b762ccc5a594665379e4453800

    Download Submit

  • C:\Windows\SysWOW64\RMK0R5NNSE8X8V.exe
    Filesize

    292KB

    MD5

    6ec98340d66a10948733c126886281e5

    SHA1

    f1114d7306ca9abe5319918fecc4c55015bbb53b

    SHA256

    00509a322a7e6faa9239d720da2da9dd8a72148d4591ce6f2c9efa3d10b57fbb

    SHA512

    26177d0212d19d94b3db8ca42233ebf827bf311b9222decc1f29ae57f78fba9c0a1ecdebfea0d8ba572fb723f4765ee9c0d5acd28d99b7d155bb4f4368043706

    Download Submit

  • C:\Windows\SysWOW64\RMK0R5NNSE8X8V.exe
    Filesize

    292KB

    MD5

    06928443c0ba7ddbccc0d1d6c2c0caea

    SHA1

    b2f88e159464911128e1142effafdb4fb043b94e

    SHA256

    9f4b49b9162b8ce3b3fd650639bf661eba7b92fbb8af9ba3159d0045d308afdf

    SHA512

    ebecfd6d879a3c8887624c57dd6f43197e231d9c7ec9008ae74a917b0adb00f6435085802d1dff722ffae7a3d4c131ef3da082046e58aaaaf8bb219a4429fd85

    Download Submit

  • C:\Windows\SysWOW64\RMK0R5NNSE8X8V.exe
    Filesize

    292KB

    MD5

    2a79cafb0a38b7f5a4d8f68bfba4a15f

    SHA1

    7683437c55d6c4450eba3b39d2d6e7e6f3696197

    SHA256

    c6ccd0def8f571982eb66fedbfbe31657f2f7a572ffd5c68c222a6a359f86eb8

    SHA512

    eb8643d2fcb6ccf1f10c9697264093e0510e5a8bdec79cab2a38088a3e64fd40c06300c96d40232b20c1e0e1052f20cfdc9cef8ee0b50cae73a8d7830c21566c

    Download Submit

  • C:\Windows\SysWOW64\XWD5I3S.exe
    Filesize

    292KB

    MD5

    d90ec7a34ed6b4a18e5ac4c2cee370d6

    SHA1

    f3ecb61209aa3dbbeac3e2ea5d210c9f5383b183

    SHA256

    681c86ef57c7610abe021a9071e6d6046b4b8805e9db4ea520c3a5e97389470b

    SHA512

    cdc58523c9f815a537036193f2ab08c9729ca562c37e3d47d79b4f0e5b99f8d73660b71fd03ed66039ca37cb0c2cdfdf1d0bd3eacbd0ad2d5d2193b3ad7f35f4

    Download Submit

  • C:\Windows\SysWOW64\systear.dll
    Filesize

    141B

    MD5

    d36af91ade551102bcae8ef84b8c04e1

    SHA1

    7dc6fbecbd47b2df58c5cf5a6c6d16f7ce5b0210

    SHA256

    38bc0fad66855a48faeb135af524b7b4721b4278c4bf2aea75c91d5db12f754b

    SHA512

    4084e8887dab8b1f3489dda4905746737b41040281e2e36b6d4a4c7befdcc02139139489a676c0bee998afd95f583f5dbb81b0ec66cd5e9a436625e3db80b7d6

    Download Submit

  • C:\Windows\SysWOW64\systear.dll
    Filesize

    127B

    MD5

    5224e50554d8172f3f5877c9830d99f6

    SHA1

    bf43d9aa15e51a01ecc166b726e5cd8419919e03

    SHA256

    259bd7bb538b6b0d9902e0ed2ee2145434da3bdd3e413097ad3640608056ccf7

    SHA512

    20abfd8bd81691782da87c7d1bf00de747614640d76adbc93036e68cdd35c6f354a21d3dd715c133a7a4a0507b30986721b4bbbc7c7c52df7a621557e1168940

    Download Submit

  • C:\Windows\cypreg.dll
    Filesize

    417KB

    MD5

    b045b17d0ea4bf07c49a973ee0f051aa

    SHA1

    ab401855bcddfb3d86020885d5b9fe9e0cda63fa

    SHA256

    1fbc34b516034154520a98f6c92870e6c3937957b3716968d2a441cd5187233a

    SHA512

    d6b0d33e357d3edd01902adb9d009eb1e70e23ebc207ea507b2324d59d5ad415aa2a825bf6efe0584ac290e5af72341eebb0b02600a48d5b1fde9d2050669464

    Download Submit

  • C:\Windows\cypreg.dll
    Filesize

    417KB

    MD5

    65a3ed6f11ee1ee326e040a1348e49c1

    SHA1

    fc5a7b62fca85ea1b59089ddd42c61c9a4174556

    SHA256

    45c87ad35ff04e777d59cf81520d85bbef33f124c029e0f66c099d9ca001b8e1

    SHA512

    34cf8335336f998b3f7ea37ecb90a8e0ba0e49549be9970d2a0601aa59431759bdfc12ab8210549e6b4e8b6a311f494372a63a8bab23dd8685e9166e185b870a

    Download Submit

  • C:\Windows\lsass.exe
    Filesize

    292KB

    MD5

    172a58ba013dd4ac1fd29d7f6ee95028

    SHA1

    5dc93d15309429a55aa5064a9f145e42d3193573

    SHA256

    155d04228b62e7bb2cbe5aaec8843c2712e052766b47d6637af0637c0bde5741

    SHA512

    118988a7b30e751bdb8760563b7f215fad903231d3118eb715bd6bcc51342cadb56ad4ef836473e2e5f192bacb3c946ee4f439871a22b97e09d4876f8e2126f1

    Download Submit

  • C:\Windows\lsass.exe
    Filesize

    292KB

    MD5

    b8113245090cb05c816c7f5d33afc2d9

    SHA1

    b6f9c4a99dc84e42031a2cc79b5cedeaf449b0b9

    SHA256

    9e8e7eb22494155f0083845ecc95f6ba73fe69ab5e6eda78ef8b0e4fd86bb79e

    SHA512

    e7f07c6328dfcef4c6370077546695ea6b3c470263b8f2684aa4dfe1cd37fc00a5bd8afa0cb11953dccd09dfc98feb173d8016c1fe00614c9d90e6ae8f3e788b

    Download Submit

  • C:\Windows\moonlight.dll
    Filesize

    65KB

    MD5

    c55534452c57efa04f4109310f71ccca

    SHA1

    b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

    SHA256

    4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

    SHA512

    ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

    Download Submit

  • C:\Windows\onceinabluemoon.mid
    Filesize

    8KB

    MD5

    0e528d000aad58b255c1cf8fd0bb1089

    SHA1

    2445d2cc0921aea9ae53b8920d048d6537940ec6

    SHA256

    c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

    SHA512

    89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

    Download Submit

  • C:\Windows\system\msvbvm60.dll
    Filesize

    1.3MB

    MD5

    6607dcb4e862442f64a65fe7296a5136

    SHA1

    d7cc2fc08853cf7eb6325fe01bb757449eae5062

    SHA256

    79014f65cdfc6a35d1bd5ed466bbc8f47c7135d708190040b5fdf879706669d8

    SHA512

    27f149fff54eda47a5195a1a42d7636f5ae57c2e5342f2ba01313fc8beaa69b032fd31df354dbfab1fc944d2b32c6974eb3e0d174cdcaf49e006508800b0b5b6

    Download Submit

  • C:\Windows\system\msvbvm60.dll
    Filesize

    1.3MB

    MD5

    df12c22c15e5d20bcba0a947d32c76dc

    SHA1

    e30fed1d8aab5dee6184e5bff65f2a3ba7c4a4f0

    SHA256

    21863c3aef99b11328b3f2d5469d86c5cce53a78b1e47958571bdcb17931e627

    SHA512

    e8811587bd716debe9c223b72fbe87c804b10d690f962c2696d6e76272685cf865d3c7c440f5a87712d6f2107d2a2d28c413ddd1d7dcb451d4b54d58b4bb6366

    Download Submit

  • memory/2512-209-0x0000000010000000-0x0000000010075000-memory.dmp

    Filesize

    468KB

    Download

  • memory/2512-219-0x0000000010000000-0x0000000010075000-memory.dmp

    Filesize

    468KB

    Download