Overview

overview

10

Static

static

10

17deb89d28...1b.exe

windows7-x64

10

17deb89d28...1b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    19/05/2024, 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17deb89d28d78f89b9146e679bbb8e69720eb8b70291cc140f2d5b64a3fe861b.exe

  • Size

    352KB

  • MD5

    cd3ed6798499172d616423023bc3f596

  • SHA1

    051788c9c8e3a4d5e42b9ca78a9e4a3e8d8d514a

  • SHA256

    17deb89d28d78f89b9146e679bbb8e69720eb8b70291cc140f2d5b64a3fe861b

  • SHA512

    28cc689e3fd3f35d5a977999b2cbe33cfe8a0a9d76f6a8c9cf591ce951cb119c63779f289779869fc12d8a5bc5e9c61da642f14fc8f86099554f3be5613e4f7f

  • SSDEEP

    6144:vIGEnprZkRs38t54c6rzNdfzIGEnprZkRs38t54c6rzNdfI:vxEnAR934nxEnAR934c

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • UPX dump on OEP (original entry point) 18 IoCs
  • Disables use of System Restore points 1 TTPs
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 8 IoCs
  • Modifies system executable filetype association 2 TTPs 62 IoCs
    persistence
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Drops file in System32 directory 14 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 42 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 6 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\17deb89d28d78f89b9146e679bbb8e69720eb8b70291cc140f2d5b64a3fe861b.exe
    "C:\Users\Admin\AppData\Local\Temp\17deb89d28d78f89b9146e679bbb8e69720eb8b70291cc140f2d5b64a3fe861b.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\WlNLOGON.EXE
      C:\Windows\WlNLOGON.EXE
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2508
    • C:\Windows\SysWOW64\Shell.exe
      C:\Windows\system32\Shell.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2860
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1272
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2740
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Desktop.ini
    Filesize

    65B

    MD5

    990a0bd866566534e37192439277e040

    SHA1

    90abfe04350a375df3beddd411256143e606461b

    SHA256

    ee3aaf1bcc2539bdddb6f25f4d0902cd023d83d902196d1bf2fcd37a73469038

    SHA512

    e598c68ae8f1a62cbc870fb7cf2c634ba24d1f1bfa62428a23aac7c914b3a775fa06564b6e084eaf9215086da433a80e49f2cbe81ca990414df3e57716dea4b7

    Download Submit

  • C:\Windows\MSVBVM60.DLL
    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

    Download Submit

  • C:\Windows\SysWOW64\OEMINFO.ini
    Filesize

    462B

    MD5

    45d327d7d806625d696945dea064d7a2

    SHA1

    81a36b2a66c8dcce870a82409c6f772cc06addf0

    SHA256

    e022ef7261dfe3e79b78e4bff605ae3f0480cd54d80b7c3358bd9091a0f0f04a

    SHA512

    8b78bb4fa2c05d509cf171525b0ba7bf735a8890854f0ef16b29c9456ff547ccd86423068f61c21b8f35a0797ee44f9a8697861c34f133c6c26dfcf99e8f849c

    Download Submit

  • C:\Windows\SysWOW64\OEMLOGO.BMP
    Filesize

    40KB

    MD5

    4de286f5923036648db750d58ba496e8

    SHA1

    0252d5d6c7a3b7dfa71fca4b30a53522fd7c6f67

    SHA256

    eb79555170611879e79b4cdba59bdf679e63df9d7927d01354e5cf859274c58c

    SHA512

    069daaa01a04add11a9e5fc0988b5d42e6ad50011fa148df41ffb3a905ffc170ab65ba66f4ad921306503d8792dd192c173c532232fc7ef146c09aa76ddf548f

    Download Submit

  • C:\Windows\WlNLOGON.EXE
    Filesize

    352KB

    MD5

    cd3ed6798499172d616423023bc3f596

    SHA1

    051788c9c8e3a4d5e42b9ca78a9e4a3e8d8d514a

    SHA256

    17deb89d28d78f89b9146e679bbb8e69720eb8b70291cc140f2d5b64a3fe861b

    SHA512

    28cc689e3fd3f35d5a977999b2cbe33cfe8a0a9d76f6a8c9cf591ce951cb119c63779f289779869fc12d8a5bc5e9c61da642f14fc8f86099554f3be5613e4f7f

    Download Submit

  • C:\Windows\WlNLOGON.EXE
    Filesize

    352KB

    MD5

    7935b4336261cd826ea7870d6616e67d

    SHA1

    68599f3fb05bca49f861d24dba935ec879d0ea34

    SHA256

    0ecae055d0bdf0d271757313c8400de91efb17f0bbfeacaa7a36a2f0f177d1a3

    SHA512

    aec1e69e235bdb6d39e3b6eae86d1a17107beb5c75b75782392dd752c15ee0828f52bcc04e4a04904d26c8216a2c9e1fc9d38690b8da24fa8542d86f56271c61

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    352KB

    MD5

    2084ecf3b29d69df36029e6601f33ebf

    SHA1

    526ad1baa2987bf10bf49ddb6d4a170d3029cd20

    SHA256

    0afbad943b0b508523fad801ef7c617ef5b76118ae7eb5d1cf36d046b77c26a0

    SHA512

    7a4a9c28a9a4eeb53cb4a22616cb49a2fdfc10135d66f3c348817b9327492221604f35558c849ef06eb650ea251673c87221cd1e3e0ced53efcedfee946c0d58

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    352KB

    MD5

    263e9738c827101de2d4eb6cda3b0b7a

    SHA1

    8bc3092c878292e3cbd70595756b037dbb995d98

    SHA256

    2e323fc18cde4bb7c06df3724aa13cac6f1238db0f6e50c277050eb51c59b2f4

    SHA512

    456fdc4745c7f5bc0bf0eda4d1cb5f64604980a64d42196c01b8724e3c0b69893b4dda28b926b2af81cdd057b8d99a19bcaf64778b8d4073b4c7bfeb4c86689d

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    352KB

    MD5

    f095573ebd6e22e779954f28c58d1121

    SHA1

    0e71b3031ef88b6b9aa46feeed1aea239adb307f

    SHA256

    b524e716243f12b159c08d8b1476ee00067863ef3b36b36c2f5f0475fba5fa8a

    SHA512

    fd00985fd25696cd5814575b8dc9a2fddd7b13b3bc3d75fb4fda0203429887ef1f95addee1ac58bdf05ee0962f08c9e631c01d9c07563f222a61b018d423d49c

    Download Submit

  • \Windows\SysWOW64\shell.exe
    Filesize

    352KB

    MD5

    b0181330587c75061ac9f17b722e6833

    SHA1

    1c13edb758ac4c1dd6b436ac22ab61db48533126

    SHA256

    e6d773a8a0d7be3fb760793ce66991769917305a780095c735982f537af932dd

    SHA512

    36852a4be3ccc02d459ce0d03edd6d32aed6f3b78996817b5beb29516670b147f86271e98ece56054c047d7dfc1f101ca5a479acdaeb75f28e0033d1a910402d

    Download Submit

  • memory/1272-574-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/1272-113-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2096-0-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2096-123-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2096-659-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2096-92-0x00000000035E0000-0x000000000368A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2208-135-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2208-658-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2508-133-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2508-150-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2508-94-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2740-639-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2740-124-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2860-159-0x0000000000400000-0x00000000004AA000-memory.dmp

    Filesize

    680KB

    Download