Overview

overview

10

Static

static

10

6ef07017f9...92.exe

windows7-x64

10

6ef07017f9...92.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-05-2024 23:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ef07017f90f3c13a00d3f00ba78f46a937182fdc601a4633a6458c93de8c292.exe

  • Size

    91KB

  • MD5

    dc09afef309993489dc3cfa2b0a479e9

  • SHA1

    82fcde0622647fcc9288ac271759758a6b12df87

  • SHA256

    6ef07017f90f3c13a00d3f00ba78f46a937182fdc601a4633a6458c93de8c292

  • SHA512

    e7f1b2c55d7008ada01131316cfc8947afc7fc52c4c6720f198579739d27e40c19d05aca232c4f06b0cb7f9e69554dd8eaeeaf5a50c02ae383abee539ec7bf8b

  • SSDEEP

    1536:ERsjdf1aM67v32Z9x5nouy8VTCRsjdf1aM67v32Z9x5nouy8VTF:EOaHv3YpoutNCOaHv3YpoutNF

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UPX dump on OEP (original entry point) 32 IoCs
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 20 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • UPX packed file 32 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ef07017f90f3c13a00d3f00ba78f46a937182fdc601a4633a6458c93de8c292.exe
    "C:\Users\Admin\AppData\Local\Temp\6ef07017f90f3c13a00d3f00ba78f46a937182fdc601a4633a6458c93de8c292.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2272
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:552
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1808
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2468
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1812
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1956
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3056
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2076
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2588
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1132
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3060
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1336
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1760
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

7
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
    Filesize

    1KB

    MD5

    48dd6cae43ce26b992c35799fcd76898

    SHA1

    8e600544df0250da7d634599ce6ee50da11c0355

    SHA256

    7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

    SHA512

    c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    a604f673c1f314de2810a39cf8f0e1db

    SHA1

    04834a05ad4db23445d651df14d1130d6282bc1c

    SHA256

    1e8324f454850ab9bba5860c015e353f37e4999ae0423888c6fc28ec8a38ae67

    SHA512

    5529cca60678054a5c1a06419761c87bb9409e3a5933a82936ed1c5c15c4bd1b898484898f65a782bc77a09df36df69efbf9cb2b1c344d3348729136cd5d191c

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    372eb9218619c18ba7ddca8825301f12

    SHA1

    32fc5646563fc9e60d32bb43a3755c72ccfd6bfe

    SHA256

    147121c969d3e0b986fd7a9098f1a66819f336d9eddf0c7c256184daeb2f706f

    SHA512

    cda9184c1b10d28ec4b5563cb50a1cc4b09fddce05f9d7f0d34da4f1088e479bc42585f63429cd8c9850e55baec37582df90b291fd3ecf69d160bddfa1aa1d8b

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    d3107519903cb5d14803be631fbd55e6

    SHA1

    dc3529f534029936d42c5d3eceb897c0ab24f4d9

    SHA256

    9507016b71cece4104642adc213161e1d146ccd7f9d8f5f1e35417e0796c072f

    SHA512

    38c82cce7be63caa53875019b9b19c6d6d7dff2fc896d5e423fbcff6e12645945d0be10947454f29b30db0cfc5be1360838d771178a6c3a28fd4b33ac6a4ac0a

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    d9afb3ac9924f9e8612e4e01d2394d07

    SHA1

    2bb017c8f872c27c864efb919c352e8765736f2a

    SHA256

    8d69aff27a52c9e06b615ba71330e8097a030d3f3055a6ca5c034314ff0cb894

    SHA512

    9bec35c3989cde0cb3312c3b2d6f39bbab4af594671cf2923f6d88e8bfdd967a258cf2675dd9474735f4d4b847139bc03522090ccfed1ab0f26f5bc0bfdb2ac6

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    0f1b86047d74b8a8e254bb48f8af1697

    SHA1

    e2e58973e7db063e502b8c9afd3fa9098e5cd36d

    SHA256

    91ce9bb0995894fae86fcb6d17f8e1028688b269412eafe2a5004213a77b90e1

    SHA512

    7513eeb54020634f4597463e10db0b8ae4b0433f6726266b5027446b3a82ae2eb3b1ab9326e1587066741248044335828c67ccf95d2e3e0e27fe624950b53660

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    dc09afef309993489dc3cfa2b0a479e9

    SHA1

    82fcde0622647fcc9288ac271759758a6b12df87

    SHA256

    6ef07017f90f3c13a00d3f00ba78f46a937182fdc601a4633a6458c93de8c292

    SHA512

    e7f1b2c55d7008ada01131316cfc8947afc7fc52c4c6720f198579739d27e40c19d05aca232c4f06b0cb7f9e69554dd8eaeeaf5a50c02ae383abee539ec7bf8b

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    e242ca35733f7184befed113d9b888e3

    SHA1

    f7493a5dbb87c2c57905522cce442f1c20db856f

    SHA256

    feb05d6ff693d9dc37a932e1094a53e54d0600c00289d3afed6fa41bb0381bd7

    SHA512

    50ebb727d7f2783d8b310711d23abb7b04a87493afe9d331bbb445ba094a8cb5e43e33ac6b759b912462fb8370ab25d0753836782be7e27950495bf8165516d2

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    5d62fdfcd72394a9c1f7ed2193487edb

    SHA1

    c992d5ac289aaf4062ebd46534478985903c622a

    SHA256

    1751836925b742ecf7ad9081c79b7cf112a8ca327cdb84010caff2b6b286dd82

    SHA512

    5ff3193514956ff272bf15551a1c3fee5bbf908fc4deb4c56a08cf35ceb723c3b089d9d6535c2c69c244f90b9825a0aecd4639a5e3fd6fd80c6b70bb90513b90

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    089d8d383a42376d1c19c25e6d34cbe3

    SHA1

    512271cb114200de242090d4709d6b9b39d67ad4

    SHA256

    f874b17d003359a62dc3cf334fcac8564cb905dbe4eedd59029a9aa95818ab76

    SHA512

    4b782b53ed426216f3b05d5802ceaf8fa4d2d4977636c9fb40029d2196410f6e3e2223e1602d28e46df7d42401d6ca820df497e48fffa2648f8dbcf8068a8c80

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    df3b689257432156cec6122b3e08e1c3

    SHA1

    9f88bf26cad4b33b400bc0372f969df322149742

    SHA256

    0163288abfdbd06e1fb52541235952aa400d82fb72dfb805cae265d92778d70e

    SHA512

    09ce96f0ef35e3ef42f98fb8e8f30538ae55f50e87b6003210a528a797325d94a8d6ff7bcfef35999c055ac5d4e4d1ce6253dbd6d67850bac1fdf856935b013c

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    9b47f85b5a75dd2ffda3b9151ad110db

    SHA1

    158c562a5afe5a29338efc86bca9aa67ee1b5005

    SHA256

    36ad76bc914faacd96ec6bfb734879dd5c7df66a0db3aae7ab8a5abadd79327b

    SHA512

    adc75fbd97f52844178e9f8d3c526a7d17807bd4a759ddd76674cac062c3fb40360e3e490b6340f6133c9b4a9491c7fef0f282d6c814b89b0ae33bafa06c3468

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    b2c37b03aa375b8f894519a0ddde970e

    SHA1

    c40ae8de2c602e4ab090b13c93d6aa7e1b492384

    SHA256

    4749c9c79ed3892e5e70327cc5aca037db3477966701ceee64d46ef6c2a959cd

    SHA512

    1a505d311db2a9ea9904bf8af3cc5bfe0929a53d409e7163f40cda8b2228256863de0093634211b09109579e16d4eed353e1121db6a7f998ce6c2d9730f86e34

    Download Submit

  • memory/552-116-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/552-111-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1132-263-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1336-277-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1336-276-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1744-315-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1760-294-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1808-123-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1808-126-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1812-150-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1956-174-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2076-233-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2272-134-0x0000000002430000-0x000000000245F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2272-216-0x0000000002430000-0x000000000245F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2272-286-0x0000000002430000-0x000000000245F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2272-261-0x0000000002430000-0x000000000245F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2272-260-0x0000000002430000-0x000000000245F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2272-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2272-445-0x0000000002430000-0x000000000245F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2272-442-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2272-239-0x0000000002430000-0x000000000245F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2272-443-0x0000000002430000-0x000000000245F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2272-157-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2272-285-0x0000000002430000-0x000000000245F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2272-155-0x0000000002430000-0x000000000245F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2272-441-0x0000000002430000-0x000000000245F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2272-110-0x0000000002430000-0x000000000245F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2272-399-0x0000000002430000-0x000000000245F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2272-145-0x0000000002430000-0x000000000245F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2468-137-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2588-245-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3056-222-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3060-266-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download