Overview

overview

10

Static

static

10

b27016a1e7...70.exe

windows7-x64

10

b27016a1e7...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-04-2024 02:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b27016a1e75e9fa704b08ccb15a6c021bd8e456583c9967bb584d887b315eb70.exe

  • Size

    45KB

  • MD5

    f4dc5ff155bea6cac06d9bd22afcd892

  • SHA1

    65de87ea390aff2005c44c664dd6ad401af0b798

  • SHA256

    b27016a1e75e9fa704b08ccb15a6c021bd8e456583c9967bb584d887b315eb70

  • SHA512

    49a948dab7767a7df7f825bf16c965fcc9739d71fe70f04f97484511e9e59e9d83f7d1af3075ca8de7ff94ce8e80f478c7375e52e9c4c18f0aa473c1c7be88eb

  • SSDEEP

    768:xmFQj8rM9whcqet8Wfxd9Mmnfa+TAOBJgZiPGyilSniJO14ktp7DFK+5nEn1:zAwEmBZ04faWmtN4nic+6G1

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Detects executables built or packed with MPress PE compressor 36 IoCs
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 22 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b27016a1e75e9fa704b08ccb15a6c021bd8e456583c9967bb584d887b315eb70.exe
    "C:\Users\Admin\AppData\Local\Temp\b27016a1e75e9fa704b08ccb15a6c021bd8e456583c9967bb584d887b315eb70.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2812
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2944
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2316
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1008
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:828
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1912
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2300
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3012
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1276
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1128
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2028
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1512
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:920
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3024
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

7
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
    Filesize

    240KB

    MD5

    0bce2fabd4577ea702b5942622782675

    SHA1

    ce731dc7ecad1145c278bf48f58e5fdb770d0fc0

    SHA256

    bda00165481e91054d8bd7b820b496418973d96d008989500f081848bfac87a3

    SHA512

    546bea650a3cce4c8f6d621fc904af3f6859b839d1e540bc328e5d8adfede77ddb55ce5d4f585223264fc9173d940298f473b236a300f3016dafb6a9113ad84f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
    Filesize

    240KB

    MD5

    b0b385c9326c25b5362f30a25f480d75

    SHA1

    4a9bf09c6806f0746d7ef896e7f2121cbdad90c8

    SHA256

    3b66e6314cfd1a08e5976e928952d4bf25e4282ad3a0abb550f158970a356d05

    SHA512

    704bc8cb6235ddb34740cd0386d4ee1ffd1e034438ac01ba0374e828dca5c1d4bf4807ae6cf622827a028a068ff12850af1f4cb2b38f8cf0bbfd47680585787b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
    Filesize

    1KB

    MD5

    48dd6cae43ce26b992c35799fcd76898

    SHA1

    8e600544df0250da7d634599ce6ee50da11c0355

    SHA256

    7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

    SHA512

    c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    45KB

    MD5

    191b38cfd8bd5d58aa6fc97cf0577193

    SHA1

    c7144026fc1b1866966f8b27edf61fd3210979b5

    SHA256

    1070d8bd82296bac7470a847796eed89ab2156094cbc69b77d23e824521677c8

    SHA512

    95ebe70b77c99ab984a43d18083e1cd76929579ef4dee380f9883d791f4234b541ed5e86a7868203a2b60cb3efaeacb48a1250441d3a6164b67e0be90472136d

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    45KB

    MD5

    f4dc5ff155bea6cac06d9bd22afcd892

    SHA1

    65de87ea390aff2005c44c664dd6ad401af0b798

    SHA256

    b27016a1e75e9fa704b08ccb15a6c021bd8e456583c9967bb584d887b315eb70

    SHA512

    49a948dab7767a7df7f825bf16c965fcc9739d71fe70f04f97484511e9e59e9d83f7d1af3075ca8de7ff94ce8e80f478c7375e52e9c4c18f0aa473c1c7be88eb

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    45KB

    MD5

    fb8fb2743a31738f46e4df5fa7140895

    SHA1

    33cdf0d24558742657b7405143bc41f0888c63df

    SHA256

    205e97664975163e3da1380c040adc9563911358dd82825aeb5ad94cbae01bc8

    SHA512

    ef7114ca058c5bcc54d6075411277dd96d08c78b66fc50f233bf430ec809cd46615218bda5003a5a59faff039ae63b90bfd000a60daaefaf7b5a20f6d1d4e30d

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    45KB

    MD5

    248c40b4d47c43cdab6de2958787c779

    SHA1

    9573db39a804a45c1ba1b014d570ec8185c08c53

    SHA256

    d625b602f5576e12c2cae712ce0bbf719ea5135293334268a5ebdb2be4873abf

    SHA512

    31082cc189df6661f5c33a0e4087a5b06c290695a02618661dfe59c66a675e5dbf1cee8ccb81690d85d4c278323e18635df0b818a94ab9eae8fb6b68c1d2b6a6

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    45KB

    MD5

    e2ab3dee75e5192bfbd760101431ad7d

    SHA1

    54cd87643e14b287813b6f23cd8f9c8f0afed131

    SHA256

    5e1ddf7116000f65cb61ea7970b9bbaf59ca2b5e2a70d87884f47a51ee247af0

    SHA512

    b830a1b0e65e81fcbf1f612199f3c49c333f5af9d08c76d951016a4502918a54ce3102aa277af0727b5cae6abe21ebf871b2c7ad850fac6e686dfb1cec87ddcf

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    45KB

    MD5

    5628f967d9e7943eef8d3d2f0aca779f

    SHA1

    1d5db72d3a1207d9aad20e6e3cc7543bc3137a15

    SHA256

    9c2468c0edb7666fd41a48d9294d172fd84863d88af2d894fc281282d7ade040

    SHA512

    064d9a7a533ea6a2f9f962aa4215484c0cda94f15c09ef2cd2a3faf7469a2390a7af55fdc0300ab2bf6be6198a879eeee1b5de9de9e8749ab0ccdb57e1df5c97

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    45KB

    MD5

    59733e39674e7962bd44f79a443114ed

    SHA1

    099ba164d9cc7709d72dc7bcf23fb82c57703523

    SHA256

    1b451f3c657214b7954de6f539b14ecdc17bf71b39cb3c4927f5dba940dd9c5d

    SHA512

    9bc6eec87afa38be78ddb9a6d91e67d176f41da16e86fbe65f473337f29069b9a2e19b8f489e50821b93f87997181239ddbdc60d95111b625421915ef64fd6e9

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    45KB

    MD5

    2f5d0af5f0e9b87f323a50f4c90ecf84

    SHA1

    e805bb576d8dc9f5a225550d188026a26aa65c8b

    SHA256

    92e9086af4bbe94cc0b805eb0096f5ff1447e3b081c25f56ad2908da3ec051d3

    SHA512

    d96c884d281979e8e6ae7701175c24d5e4d4b1009a94dd8542a889b36d24f26843bb93bda886775080ae394ba3995578f2b5faff25c30dc80af2c00684f9ba55

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    45KB

    MD5

    31fc67c51652171bc945e4e6435b4872

    SHA1

    113e4e1a3a8538c8cac93a1681a82897a57dbf14

    SHA256

    6c0ea58aaadf9194bb314d403604bd56c0dd6162680a83ff8cfbf51ae0a82b94

    SHA512

    9203a83e7ee8049e2df9333bc0e82a332ab64d1b535b0c86647f9bc87f4347100ff84db2428aaefebe5eaab0138b38d22b079fdbac24e0b55da88f48559a8a03

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    45KB

    MD5

    6cb6985f4a8a3bdb230b6b66f71e0533

    SHA1

    70291c7e63d88ac7c321e96d38a5196ecf2dec87

    SHA256

    f5b15d5dc571516bd073c363870c6e5340d383cb3893df75f42e0ca8ae0893d2

    SHA512

    a0dab6a295970dda848133471707e76d9f67a31c7bed4afdcf41403c76ca8e45566749c05b311048659ebf1718cac33092868d0a786a53ea08277d615295c916

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    45KB

    MD5

    33ffa843651e63c4d09b6a3fc2924423

    SHA1

    3c4ae912c36f4a29ade86905794e564fa1bfff46

    SHA256

    6acf1c67e5e824140e29cbdd546a90cf8fd2498ac826f5e61b9e631838ce86fb

    SHA512

    65ece6d7bef5b1e3d61949bbe5597000cb7000f690f90b536d602ba67af794212cfd99e2f9be5363b0c92438ea5b7bed634100e1e24b967f7f4ab32325c7a102

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    45KB

    MD5

    5cd8865b91b3c0126e5549454c03b609

    SHA1

    9dd49549b511a4b2d191033c6d4d339044ba4d42

    SHA256

    bb7e2fa426af941e82df0254e9e4f228f7e6c9f03974e86d4755a7be56b6b3a8

    SHA512

    b53910cd49fbf99bad5a09e7f8b14a91088910e795590d4aeaede9fa5db231781cfc0721872fae54e64aaade224d728eb21bf8c02a04bd77b0284c0517231041

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    45KB

    MD5

    56abcbfe700eba22f1588e0b558d8702

    SHA1

    a892cf8201c230211c49e4eb7880c6a3302ac965

    SHA256

    987a58c36a4691efc47844cc50601d7734189bca453dfd7d479fb2f61b7e3c9e

    SHA512

    afeac532cf66dfce3ee5d6d788dd59c7d2dd8959354808cfc374998b9cd2d913db0c6bfb0475dc43310d0a59b305917eb31769ebb7bfdc7443ccfe60faee8969

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    45KB

    MD5

    d5b61c29b02f0099fd58025831819de6

    SHA1

    fa699b2f4a9bacca15b33a13e261f811f14d16e3

    SHA256

    238e740134997e5228bf9b79a2c02e2e783aa084289356c818f05aa061dab76a

    SHA512

    9a9e75ac26c10d3d55094be790fe94457d3f1a90e0f866d84f9eda39d4df0e1336c4a791e01ce5087fddf121532329fb9844d7392ae01387bcd2bb9e15da8937

    Download Submit

  • memory/828-147-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/828-144-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/872-322-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/872-323-0x000000007347D000-0x0000000073488000-memory.dmp

    Filesize

    44KB

    Download

  • memory/872-423-0x000000006C3B1000-0x000000006C3B2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/872-452-0x000000007347D000-0x0000000073488000-memory.dmp

    Filesize

    44KB

    Download

  • memory/920-285-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/920-284-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1008-137-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1128-254-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1276-241-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1512-273-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1912-158-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2028-262-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2300-171-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2316-123-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2316-126-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2812-165-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2812-294-0x0000000002560000-0x000000000258E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2812-168-0x0000000002560000-0x000000000258E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2812-227-0x0000000002560000-0x000000000258E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2812-282-0x0000000002560000-0x000000000258E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2812-249-0x0000000002560000-0x000000000258E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2812-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2812-155-0x0000000002560000-0x000000000258E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2812-293-0x0000000002560000-0x000000000258E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2812-269-0x0000000002560000-0x000000000258E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2812-106-0x0000000002560000-0x000000000258E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2812-451-0x0000000002560000-0x000000000258E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2812-238-0x0000000002560000-0x000000000258E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2812-226-0x0000000002560000-0x000000000258E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2812-449-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2812-111-0x0000000002560000-0x000000000258E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2944-112-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2944-115-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3012-232-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3024-297-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download