Overview

overview

10

Static

static

10

106b56f878...9f.exe

windows7-x64

10

106b56f878...9f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/05/2024, 18:44

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe

  • Size

    45KB

  • MD5

    7981f54b51ab1c6d3ce00fe207fc44c4

  • SHA1

    40a02f8d7899f24700d1f86300aee0af17fa8aac

  • SHA256

    106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f

  • SHA512

    b080fd8600b30e1d97ee21f336283dfee84e2a767e626973dc338c39e8454f4a1453945d9d3aaa8dab472adcb7ae00223feb1671a7a3ac539713ae9ca6be36e9

  • SSDEEP

    768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nE1A:8AwEmBj3EXHn4x+9am

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Detects executables built or packed with MPress PE compressor 19 IoCs
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe
    "C:\Users\Admin\AppData\Local\Temp\106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1868
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2040
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4844
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4004
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4976
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5072
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2464
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3880

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
          Filesize

          45KB

          MD5

          b8e491b9a9eaf1e35552b1fc2c118295

          SHA1

          5b1dbae2cc2d0f4a3ca9fa71a2b407003971fefb

          SHA256

          d0d288f6c6e28b26b022d9852b480facf37ff7a5fc30f14a374ad6f04c82725a

          SHA512

          b5c23bfaacce6d0dc83fcece6492be2dd7879e4c007bd660eeef16c18f3676497bb4056cf527076110e5fc47acc9ed738ac9f0941895c093b896534a5c0160dd

          Download Submit

        • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
          Filesize

          45KB

          MD5

          a70feddaa072a63357bb468ed29d2490

          SHA1

          88d07faeebce036090806859609e472c4a7cca06

          SHA256

          c9b0e35d70fc9d3dba31e14d3346e5d9a9908d789a8f2370847f4bef279a7446

          SHA512

          d651e72bcedae157dc4eae151f29025feececc8316ad1b791b25c6e3aa4c581d5dbf824bd889f496b7ac21c8339582108cf26f1fb8d4de71b94635417f55cb3e

          Download Submit

        • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
          Filesize

          45KB

          MD5

          83b9718aed777302836d93a6da7d5f00

          SHA1

          fe4466153f3dc4a1a091c5fce54ad9dc07f7d404

          SHA256

          621bf43627b164129871bed50149c9f07ef6a07fb9857bf7f916b28ea30bed39

          SHA512

          ad2aa96fa5985f945209b831d30cdc8c2a9207ee5b551fe3523e29d224b71bd6984d7b75b251232d0454fa7ddd62e0767ba27f6e850b26abb3ffaf0ff6da7548

          Download Submit

        • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
          Filesize

          45KB

          MD5

          9f1d5fe30bcde40bcd2412048c80e025

          SHA1

          90df5d4596dd5b176003a586bb17d3cff9faf5e3

          SHA256

          da5e065e67103eba3a5d150cc091634df5e2888f60f6fb33f5151b387c19a0a5

          SHA512

          e8adc906d21fa2bfd77fbafc0a15961a02849893f50a23addb375ec841fa8f82622dbf013260394c71e5d329a35eafd80977812bdb719c73b0d9bd0fcb7321a1

          Download Submit

        • C:\Users\Admin\AppData\Local\winlogon.exe
          Filesize

          45KB

          MD5

          7981f54b51ab1c6d3ce00fe207fc44c4

          SHA1

          40a02f8d7899f24700d1f86300aee0af17fa8aac

          SHA256

          106b56f878fb35b101343488f1ffd144d19d2f0cf4280c976c85b777298ea99f

          SHA512

          b080fd8600b30e1d97ee21f336283dfee84e2a767e626973dc338c39e8454f4a1453945d9d3aaa8dab472adcb7ae00223feb1671a7a3ac539713ae9ca6be36e9

          Download Submit

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
          Filesize

          45KB

          MD5

          d861dcd1bf2ff50553b38e2588862265

          SHA1

          adcaee2bae0804496292de3bdeec21570812c1df

          SHA256

          7f3f98fa15740ac057052646ccbfe2b38a00c87d278adf5fee87e4f6d1bf2728

          SHA512

          c10f00187f01971fa7f6d5841d530df668287dbd6df88c45cd5a3e3f15da8617757c137964dc0961df5921d7d05e2bf40370cccaf7aae6994ba38488e69bde90

          Download Submit

        • C:\Windows\SysWOW64\IExplorer.exe
          Filesize

          45KB

          MD5

          4b7441df9108c0a5c52de4958c26baee

          SHA1

          64623a672b25f868abb7763e84918b3d28e49c74

          SHA256

          7e319f1c4ce720093573114d6f1d88117c2998ba1801b01aa2d3e51323324093

          SHA512

          ed18fdccd122c88a758eb6cbe2d080562ccb24cd8776aba1b30ba41f73d2dd4d121c02336b01dbb3c065a467ef30f5f40eabd759865d8a8f0825395362420497

          Download Submit

        • C:\Windows\xk.exe
          Filesize

          45KB

          MD5

          6dbe8485aa82d6f561f4b29644969dfc

          SHA1

          ccdf963f580677e76f9c6b0e7598e80dc0a2fef3

          SHA256

          028f1fb4eee2c09d8431fcf11e9ac0ca96a6b7044a1f6c524cf49d1629555d92

          SHA512

          0279f984e7840fe9d1d7556d2bc26a0ffae08b5cdf6fa5c5497affaf67823de4d36cc286eb4e2d532ffe6071699f5d3392175736e79c20109886b9e9a5b0c539

          Download Submit

        • memory/1868-155-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1868-0-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2040-112-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2040-107-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2464-147-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/3880-154-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/4004-128-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/4844-118-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/4976-132-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/5072-137-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/5072-140-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download