Overview

overview

10

Static

static

10

6ef07017f9...92.exe

windows7-x64

10

6ef07017f9...92.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 23:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ef07017f90f3c13a00d3f00ba78f46a937182fdc601a4633a6458c93de8c292.exe

  • Size

    91KB

  • MD5

    dc09afef309993489dc3cfa2b0a479e9

  • SHA1

    82fcde0622647fcc9288ac271759758a6b12df87

  • SHA256

    6ef07017f90f3c13a00d3f00ba78f46a937182fdc601a4633a6458c93de8c292

  • SHA512

    e7f1b2c55d7008ada01131316cfc8947afc7fc52c4c6720f198579739d27e40c19d05aca232c4f06b0cb7f9e69554dd8eaeeaf5a50c02ae383abee539ec7bf8b

  • SSDEEP

    1536:ERsjdf1aM67v32Z9x5nouy8VTCRsjdf1aM67v32Z9x5nouy8VTF:EOaHv3YpoutNCOaHv3YpoutNF

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • UPX dump on OEP (original entry point) 20 IoCs
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • UPX packed file 20 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ef07017f90f3c13a00d3f00ba78f46a937182fdc601a4633a6458c93de8c292.exe
    "C:\Users\Admin\AppData\Local\Temp\6ef07017f90f3c13a00d3f00ba78f46a937182fdc601a4633a6458c93de8c292.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3180
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3388
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2496
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1208
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2384
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4596
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4560
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4612

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    078ee9939270cbf1a0a76b98c12168b9

    SHA1

    973c6ca30fd8e7cf9e217af33b3c9783f5234fc6

    SHA256

    646f96d5875b2b0e839ca08803eb6cc74024335f80db3ea25d75f9d736cd3a63

    SHA512

    95a83fc7705021d6576f82133a1701359ea72f2a7b582160d3f5e1916c2c1cd03b4672603c84d80c74e0ce653adb1239fe380b287e430e1820d7c159cd922b75

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    3197c18402b3121a091383523530901f

    SHA1

    3e2998cbb82b68fc1d4e914f9ebdf09862161b34

    SHA256

    99781242b85569c351c9a8da2ffa27848f8c1fa74a37442f58f68b66cdb0ea3f

    SHA512

    893143285b99451f698a040a12f2d91537afb65fb43a46bddafdb1a3cdb8be7fe956de2d135d91aed599b2ad1e78e783f974eb6143b5ac044827ab523db8064c

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    91613bae76c1107392e6eb6b31e44678

    SHA1

    67c50b5467c75b54cd05628f89066bfe467891d6

    SHA256

    0b1a5eea3dd2dd0e8915ae9b19702936cf8367cca7a1b957bfbc00a7eff046e4

    SHA512

    e28fd771f29dfd815b405b6580589bc85d9252ed4e79b1c6987469c89a610ed14cfa28a4affb7fd2711bf4866ac634c59d34f03640f59a4c4e3d0ccbafa8c944

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    bc741698748e700892957a4e857bfd10

    SHA1

    c9ec7377c1c60cdeb93d0765ac04a2df500c727c

    SHA256

    8543fb386d22ed7c211caaa96f18509ca1bd63a40a7625e0047f70f946677315

    SHA512

    750b3543cb57ef51c2d7373acb995953540a092f88cf9050813544e1571e462c08c6621947e1894e5b8ddf031b678bf5be1ac4c30a12dedbef752fc7e054188c

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    b7a119b486522d54ea20c89b52d6a30a

    SHA1

    608eda06850158565d3d67e726446118a52fa543

    SHA256

    d77c7e7f2b341a21dde10b524a4d642096849b3d5ffe221229a726cb40536fe3

    SHA512

    bef9e1d42e34f27983fc7a5a49cd4d03f0bb619f20672d9013e14ab56e0fe468a59c7beb663c17a64f56348630fd04d26abaf1a61f1fb4ec509144cd94d9dc25

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    dc09afef309993489dc3cfa2b0a479e9

    SHA1

    82fcde0622647fcc9288ac271759758a6b12df87

    SHA256

    6ef07017f90f3c13a00d3f00ba78f46a937182fdc601a4633a6458c93de8c292

    SHA512

    e7f1b2c55d7008ada01131316cfc8947afc7fc52c4c6720f198579739d27e40c19d05aca232c4f06b0cb7f9e69554dd8eaeeaf5a50c02ae383abee539ec7bf8b

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    7b699ab1bc64b158eff2d9e3848d8a28

    SHA1

    a5cf441829fcdf18adc11d5f231be35b7410438c

    SHA256

    7cca3273de30b5fff4b3c609e8711b1bfb6142783be4dd3b34906eb45c4313fc

    SHA512

    edb599811444b8f03a67aba06525bd1b57c11ff293ccd318e922a93bd55879b029caba23310c236f0f4dadaa5072c232386aa63e450ffb7b838d2d36977ee8ab

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    5116e4032f94653c6fdb0e73e1cc0a6e

    SHA1

    7cf788356115d19adfa05cbc1d90f6a48bb8ffa2

    SHA256

    5076a430a5dc267d206891aabddc41a847e9182f5aead2eaf9cc0bb0d7be97f4

    SHA512

    f3c1882ce93b4f7f47cecdc1bd5252681eeba6cb42004fbc8d9a78ce6ef43f8b01e8b8be4f48219c2f7f5a417efed0164c16eba9056ca1ea728be3a3bb931211

    Download Submit

  • memory/1208-121-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1208-126-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2384-133-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2496-118-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3180-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3180-157-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3388-113-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4560-145-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4560-148-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4596-136-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4596-141-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4612-155-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download