Overview

overview

10

Static

static

10

da0f3addd9...82.exe

windows7-x64

10

da0f3addd9...82.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 04:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da0f3addd92984057e7eb06b314cd3f7393d264db492905f4208579d173d3182.exe

  • Size

    130KB

  • MD5

    a002046e6a08f24b959b5167e71e4e97

  • SHA1

    c7b918c40d32e054cb6e304c7cbdd1b4394380fb

  • SHA256

    da0f3addd92984057e7eb06b314cd3f7393d264db492905f4208579d173d3182

  • SHA512

    6170dcace6538d3cd00bc2f8bb98d68a3f2ac021c1e38c8cf3b8af07d0995a6c890ae63b7e4260827b20c879c010156e0df60b9b595138280cd1f58cfb22ff65

  • SSDEEP

    3072:EGfAUbd5CR4Up+UPO0ksS7KoD1f2CfUpHzk2r07:X1b/UJO0m7Ko5fvfo3Y

Score
10/10
evasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Detects executables built or packed with MPress PE compressor 43 IoCs
  • UPX dump on OEP (original entry point) 22 IoCs
  • Disables use of System Restore points 1 TTPs
    evasion
  • Sets file execution options in registry 2 TTPs 12 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 8 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 28 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 42 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da0f3addd92984057e7eb06b314cd3f7393d264db492905f4208579d173d3182.exe
    "C:\Users\Admin\AppData\Local\Temp\da0f3addd92984057e7eb06b314cd3f7393d264db492905f4208579d173d3182.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Windows\IOU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
      "C:\Windows\IOU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:2868
    • C:\Windows\IOU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
      "C:\Windows\IOU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:2432
    • C:\Windows\IOU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
      "C:\Windows\IOU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Sets file execution options in registry
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2420
    • C:\Windows\IOU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
      "C:\Windows\IOU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      PID:2884
    • C:\Windows\lsass.exe
      "C:\Windows\lsass.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Sets file execution options in registry
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\IOU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\HKH5L3E.com
    Filesize

    130KB

    MD5

    a002046e6a08f24b959b5167e71e4e97

    SHA1

    c7b918c40d32e054cb6e304c7cbdd1b4394380fb

    SHA256

    da0f3addd92984057e7eb06b314cd3f7393d264db492905f4208579d173d3182

    SHA512

    6170dcace6538d3cd00bc2f8bb98d68a3f2ac021c1e38c8cf3b8af07d0995a6c890ae63b7e4260827b20c879c010156e0df60b9b595138280cd1f58cfb22ff65

    Download Submit
  • C:\Windows\IOU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd
    Filesize

    130KB

    MD5

    0e07f4f1f0413078bd9321be6c2516aa

    SHA1

    9a9abe829685a8266455322ef34177369436cb1f

    SHA256

    fa6c79d1021e9af7afde6d6312f9ee93c01b33335836e29a0081816f2171aa7d

    SHA512

    e8597f9c3f5c8c61cb407c41444e15201780c1a7eb791c39ca4b7f60abecd4303759c976cf8511db12900738b7e046ca0ba4bff1da2957dc9da2071a298c8a78

    Download Submit
  • C:\Windows\IOU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
    Filesize

    130KB

    MD5

    100e0b141e598cc9dd863320fc5fba43

    SHA1

    80978a30ac4ff24242df992a8bbf899c0a1eb3fd

    SHA256

    be7f02a9b5f06e1029f74ffcb7b1e7aaa1380f971fbbfbe85fcb3beef94bc9f3

    SHA512

    9e21fed3229d6c691b78eb1e1d2683be7a3a06d2bf7732611773401b9ec1069a4636293f2aa5c6025d1a4d24afd6e09758577671036ca00040e8c836b5c394a6

    Download Submit
  • C:\Windows\IOU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
    Filesize

    130KB

    MD5

    deacedeb84ee1c1df9cf7702ad95a904

    SHA1

    c450cb35011903224ad4b0a431f9c0524203b725

    SHA256

    49f7295c0c1eb900c9af8a549cc411f8a2c1bcc0ce876e64e012f9522785fa88

    SHA512

    dd3f660615ba3416dde22b6d0b3623f51d0d95409a1b2d417c863054d29daa60c37c6a00d5c61e5faa09853bf3d0c5a49c7551edefc9fa92ddddd63bc09598be

    Download Submit
  • C:\Windows\KNX5H7N.exe
    Filesize

    130KB

    MD5

    d30e3b0c4cb9ab4ab3b537cfa565ee73

    SHA1

    b39b615c4a20a38c06e6ee1263b261d7055ea0d8

    SHA256

    b672b45fefdeb429c7f4d1f01411d684e1ca1e5aa53e8d725b60d6005d0b2d80

    SHA512

    41c0a760711b40b08b6d9c06ae7dd5e116261cf68abb5aab7693afeca4ff599a0702e6dfcb8666b979f1e2e900af98dac35740081f26c6b5519cd91280be7131

    Download Submit
  • C:\Windows\KNX5H7N.exe
    Filesize

    130KB

    MD5

    1e17ae5cedfa736365d46a079554fa1a

    SHA1

    7ae9cbe64487100497fc1f20e358e3d10ef56a43

    SHA256

    783e7390c2ff52c48d925abd4d9acb7bd5fb045b2835bea337b1b05091892258

    SHA512

    91cd730c211aba3ae642665d55cd985288727d3af016b4c4652fa7e6c9f1053fb2b9f73237b6932a37ca70cb5bf823b338d0463329b9667754ab67a7caa7aa0e

    Download Submit
  • C:\Windows\KNX5H7N.exe
    Filesize

    130KB

    MD5

    7e876e4fb1cac6a1d4a0ccd8244be9ba

    SHA1

    561055850afaa050bb53c4c3bc3ec29bec9b6fa5

    SHA256

    b95fc7baad2f0e75658754b3e4eab3c634056d0b0fd75344f5c003cb8e546601

    SHA512

    a32b9a3a9888812340e942740319c34f5b31aa7a28ca03ee94a7cff518b6c5c22f6bf7560a099ea73dcf3bd2db9f0762580284968392584f4377bff03b4f2a71

    Download Submit
  • C:\Windows\KNX5H7N.exe
    Filesize

    130KB

    MD5

    abb5a127198d1361c71ad2061ec71d3d

    SHA1

    e1bb0d76e6d7f20608e4bb5d6f730300f54a05c6

    SHA256

    736cb38a12909cbeda755294c22f2ec6359735444978a99f1e6d862068c13f18

    SHA512

    e79b85470f7ffbbd71130d841d1eb4fa54ba34d3c347c2a2847bc104eb753d08d16b276abfc56850b090e0434e9d8118cdfca58c186d6622ef1da44cff7dd4b7

    Download Submit
  • C:\Windows\QUG0C0X.exe
    Filesize

    130KB

    MD5

    2d18e3919515965275590696f214e070

    SHA1

    5f37414544f52b669e8ebcd9102777832046bf2f

    SHA256

    b5ff2e9d4717507a669e9ea8febe33f53f07fd3789aeba07e2a417e87475726e

    SHA512

    fc276b4abff87114a2ca2b76462a23042b19d68f416afc0951e46c5d0c5f6cf399875301a99a555ee4ad6bf79d7fd4be67deb1fa3e30fa35443035ec127be363

    Download Submit
  • C:\Windows\QUG0C0X.exe
    Filesize

    130KB

    MD5

    bbe63011db819f335aca0b4355246078

    SHA1

    d913ff0015f0639842ccf874f25e454dc3f6eaa9

    SHA256

    47cabe27a49cce6eb5ebe7cbf86c2ab74df1e249b452637855f7ea164d5ee2ea

    SHA512

    2407e7c5e32140dfbafa2c622d2c07d2153a7886a25d7a1354cb48585a812bea3306670ed644f3c0fe0c4284303bd5481679b6c73baf3b9b730f3ae35d5b51e0

    Download Submit
  • C:\Windows\SysWOW64\CYF5K4U.exe
    Filesize

    130KB

    MD5

    bd8d4ef0d3abf865dc269de83ae8a150

    SHA1

    9600afe6e888f8f04fa52a09486eab103467741e

    SHA256

    3cc530907497633be3941a3c5344770b5e5983b296e2f2ed5cb75d9ad0652f7f

    SHA512

    02b56bd89cbc6a8a2fa5aa1d0ee0d9f96fb12c6b86c31df808fd3a718b76584fc4f4102c670dac9b741cfddd143ad223c1d710bf5195577a8b001ca18d489b45

    Download Submit
  • C:\Windows\SysWOW64\CYF5K4U.exe
    Filesize

    130KB

    MD5

    a326ee27189583aca1a81906ba6287c4

    SHA1

    a38fa018260f762b42f05dcc55e77327a24f14d5

    SHA256

    e152fa1eed5d8335112a9414f055ba577f258bbb6b12b5215ed4e71bf11a1d61

    SHA512

    1711c05f1ca64d70f2c56fd8cc3170c6fe944065d851665c56a232850571d86727d1ad7c14ee930060723fd3163cdbd230b3f6f41765a065b80daa97bc006765

    Download Submit
  • C:\Windows\SysWOW64\TON1U6PQUG0C0X.exe
    Filesize

    130KB

    MD5

    2ff036f2b13b54e8938dc6bc500661cb

    SHA1

    99f6a7aea17d578df14fd2ad5dec5d1a17ed57e7

    SHA256

    1d42fb7ae1f8a784779f99f5e970260fce9ac8366d917ad2c31c0ef9aad29ca1

    SHA512

    ed4a645da7f6850c5261e128fc028a6c30134b116d93912dee974a9417b2f97651d92c4ca850c1c8b34986f7200f811390f0b761d31fd5fef09fc5f49b0a89b5

    Download Submit
  • C:\Windows\SysWOW64\TON1U6PQUG0C0X.exe
    Filesize

    130KB

    MD5

    4d7799cdc2c5d7c4fb2566523207f6da

    SHA1

    7b6b57a31859d3e142b50774bc00cd2e190194ed

    SHA256

    2295fdff3d2fc296107212529471d371168738e6f21f0e6f3504116648d123e3

    SHA512

    71c41179fe59b13afe5b9c02791257ac06f505221ac97fa80cc19e9a421ade9ea5df09117520b30e17e1769083f5416baf730176f6e7b76c618e2ed7aa83a134

    Download Submit
  • C:\Windows\SysWOW64\TON1U6PQUG0C0X.exe
    Filesize

    130KB

    MD5

    645aaf399a64a16baa6dd339519b9ee5

    SHA1

    215789034ef2c5b7db247a420eee3374db0947ca

    SHA256

    cc2aa5d23d95a7435bfc31e4d6ce311f5b0569caf9fc2b131d59711c37e58a4e

    SHA512

    2824b51ed1dcddebccac852d834c813e9c8e06babe5ac0124e5e1dc447cbab4a60682bba30a688734aad91549ee9c0fedd94a7e16a5e7479dc52c5bab3e4d7b6

    Download Submit
  • C:\Windows\SysWOW64\systear.dll
    Filesize

    141B

    MD5

    004b104ab16275b4bade96e27140a3ee

    SHA1

    2bca845a8a4ed3406df9b3da86634065f6f66179

    SHA256

    73d48c9695f64f4a6870f192227d7f1cf569dce27edd6b44296d00326b6de2af

    SHA512

    2bf16a1b2bee5cb9c60f98c7548e6bef59ab414a166fcac078cc0c14e39b439d8b9d59bf8416b0e7328c8ffcfd86d7f7daa552c1dcbd5ac59c044c75db466119

    Download Submit
  • C:\Windows\cypreg.dll
    Filesize

    417KB

    MD5

    65a3ed6f11ee1ee326e040a1348e49c1

    SHA1

    fc5a7b62fca85ea1b59089ddd42c61c9a4174556

    SHA256

    45c87ad35ff04e777d59cf81520d85bbef33f124c029e0f66c099d9ca001b8e1

    SHA512

    34cf8335336f998b3f7ea37ecb90a8e0ba0e49549be9970d2a0601aa59431759bdfc12ab8210549e6b4e8b6a311f494372a63a8bab23dd8685e9166e185b870a

    Download Submit
  • C:\Windows\lsass.exe
    Filesize

    130KB

    MD5

    bf0ffa6df3f7f888eea7f93f11297ed9

    SHA1

    91bc215d7793a93a09e8ba2c02c72db66f2b3c10

    SHA256

    815395585d4a1f8b1b9cf85e8e1209ce3ea72ffd290f51bed5157602f6f630c3

    SHA512

    412241859ddc3b0ff514234ce0c7ec86e2f913ae269b01e14b28d5e07292b569dba310b6436c8de70fbd23b8deede430ddbd45088ed929506a0439cc17a24ae1

    Download Submit
  • C:\Windows\lsass.exe
    Filesize

    130KB

    MD5

    2fe7e74a48d0e36e020bad42b221c2ff

    SHA1

    8eb7332d1886ceb85717624041b906550149b932

    SHA256

    e3b4fd60f7e2b03cef74e1d19cf64a1548438e03baba3c0989e1fc4414415b96

    SHA512

    3df28172e85f7df2461e20dbb462ef743eab188e79547ef46a400880c6211cd4155d2dc576a7d526cc98f5895fcdff1315ed8d8e5cba05fe372a1d73f2046aad

    Download Submit
  • C:\Windows\moonlight.dll
    Filesize

    65KB

    MD5

    c55534452c57efa04f4109310f71ccca

    SHA1

    b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

    SHA256

    4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

    SHA512

    ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

    Download Submit
  • C:\Windows\onceinabluemoon.mid
    Filesize

    8KB

    MD5

    0e528d000aad58b255c1cf8fd0bb1089

    SHA1

    2445d2cc0921aea9ae53b8920d048d6537940ec6

    SHA256

    c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

    SHA512

    89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

    Download Submit
  • C:\Windows\system\msvbvm60.dll
    Filesize

    1.3MB

    MD5

    381ee69841c54efd9f93ebe332337865

    SHA1

    3327c2f495d3dedd4c07bd258e7026e0de1c1d7c

    SHA256

    24be6f1a5642f8bf311bcb1c85142178be6d682ced4f5ef8fdeeddeb39df16be

    SHA512

    69cb19699ba5c83883ef6d24ffed4345448e2ead12ba1d41378e6a6ca5ed7d788c637dab05996969b4c9837545490e63aa6b52ef7168d646c27442acca2ae3ad

    Download Submit
  • \Windows\IOU2V5J.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
    Filesize

    130KB

    MD5

    e38a6fc2c6bc1408f0607cd66d5e788d

    SHA1

    edfdeb4301272a8589f58a93389cf0d38adcbfd8

    SHA256

    b2abc89c9c3eae876781a4f6911ea1d73254872f0ddf9ba27ed52d0ff971bd78

    SHA512

    8d6e691bcf4d5e0709423fc863412665119de23a4e5e5ce013594ba0b0c3b8f9dd17355002753a15d14eaad326a3674c5f87f0a9d723c7d7e96163e3467d0337

    Download Submit
  • memory/776-211-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/776-304-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/776-292-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/776-282-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/776-276-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/776-310-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/776-253-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2420-307-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2420-79-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2420-257-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2420-273-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2420-250-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2420-254-0x0000000010000000-0x0000000010075000-memory.dmp
    Filesize

    468KB

    Download
  • memory/2432-82-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2432-249-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2868-248-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2868-77-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2884-263-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2884-269-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2884-252-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2884-291-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2884-258-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2884-85-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2884-315-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2916-208-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2916-63-0x0000000003670000-0x00000000036E7000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2916-1-0x0000000000400000-0x0000000000477000-memory.dmp
    Filesize

    476KB

    Download
  • memory/2916-54-0x0000000002790000-0x00000000027A0000-memory.dmp
    Filesize

    64KB

    Download