Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    25/05/2024, 22:14

General

  • Target

    5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe

  • Size

    45KB

  • MD5

    4eae1eef38400d1e90011f887c700932

  • SHA1

    172988046bc829608da1865c5d1c942aa22493d6

  • SHA256

    5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54

  • SHA512

    3b61e37f0129b4163f21834cd82afe5bca4a1e431164e2065fe729d7293e38ef9a66297d2bcd9fb8822fd0921f7a10cc8f47ecb3fdca4cb6a95501a4f08f16df

  • SSDEEP

    768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nEqP:8AwEmBj3EXHn4x+9aqP

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Detects executables built or packed with MPress PE compressor 27 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe
    "C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2912
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1920
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2072
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2400
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:328
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2068
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1568
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1248

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\services.exe

          Filesize

          45KB

          MD5

          4eae1eef38400d1e90011f887c700932

          SHA1

          172988046bc829608da1865c5d1c942aa22493d6

          SHA256

          5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54

          SHA512

          3b61e37f0129b4163f21834cd82afe5bca4a1e431164e2065fe729d7293e38ef9a66297d2bcd9fb8822fd0921f7a10cc8f47ecb3fdca4cb6a95501a4f08f16df

        • C:\Windows\xk.exe

          Filesize

          45KB

          MD5

          d708fa901e2991c436d54453d58dd3fc

          SHA1

          93f7ee3e0fdff444343794c96accbff99befbeb7

          SHA256

          a806201ac1da4963163c7834426191f97cd11c2a3ac1ade9f2c3e5b2d765c3c2

          SHA512

          177865267d71acef0c84c9980824b57af91f232b5d3319d1d91a212206e3378d0e7bdd0ff3d6e55447a5adb5998617c9f5e302f7ace9e5eb2646451164379b66

        • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

          Filesize

          45KB

          MD5

          1f5e42eaaf4ba5ceb943efe7d79fe1b7

          SHA1

          7520979954e0e9e5a6b8cd7a471a28382df3cf86

          SHA256

          37b37951adf15b74e9ac68024afa75fb153396a5341daebc8f671d6951090291

          SHA512

          79c7fce12d045bf53950815b55b5d5dbbedfe72f69d36aeca1935fb82c73d1c622b701c26619353c6ecd925f9586809ecc7009fb4be686480c806e6a82ae87cc

        • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

          Filesize

          45KB

          MD5

          37988b2bfc167881a2489481f9c13954

          SHA1

          ab85e0492e024aad5370c17e2420996096d865cf

          SHA256

          512d4b99172f04f86adf9725c330ce73a634f463688b4c70293533c7a2e5f1cf

          SHA512

          71a74dc8950f7713ee875704aa3f7141377ad234b3ee4ebcfb2fed24f46c2bb817c6e44163dfc659b36d0e78d019081d227f142b94c2926585faac028c1598f0

        • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

          Filesize

          45KB

          MD5

          92374656376d5541ee3ad20c8d1bdf38

          SHA1

          5f7422246defc547d6d5f770bbd41336e43bf299

          SHA256

          5f9eb83d4632d4ad4e9b9b7de59765714aca6b35f4ec635e1f11405b70b98bd1

          SHA512

          54e69bc2cf49fc3b6850b74b0b0012e2732bbc57c4905866dcd6f6acca62bc284d1e61ed2c86408515d9ceff73203a890a323a49b4a19d52c4bc1e1a036c5a4b

        • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

          Filesize

          45KB

          MD5

          ce06fd118271b3de36a7a8daf8a02464

          SHA1

          31a5832d7d6cb34c4241d41fd6cb056c1b41fd32

          SHA256

          4493c5c95f1d05b8dec6ac126e9c678e3d2f645dd3ad61e0724201442b1e2293

          SHA512

          2ac89098b09570e508f4d1dde7041856f17021504e6810030c0421feb5b2d2be510143b689bcbdf55f55503fe9ca071f23d3135f0e4c3e7390f257f7d2207521

        • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

          Filesize

          45KB

          MD5

          4f6e1923f4fd563cc9ff93315c5e955a

          SHA1

          54ae0ea2498acb54673aeda5312e987018fa11dc

          SHA256

          015dfc6fd876d90e9809ca45af139e2bd875d976f6739a60fadb5f9223935026

          SHA512

          ddc6205f7087ea95eedecc57ce564b63a1b7fb24142b4a5a609d98f1e9adb297296bad36079486f3cd308b96faf89fb57792bef0dfa4e93d3bd4c1a15d12e23e

        • \Windows\SysWOW64\IExplorer.exe

          Filesize

          45KB

          MD5

          f691c2286b3f10b5911d4d73b4d5749e

          SHA1

          67b7c4251e555b84bc606384078ddcb3ea64c88b

          SHA256

          f40e8497cd0e8b0cf5b458639942ca2ee148094da6b292bc7369373617fd3cd5

          SHA512

          73f8e1d4e456e651eb9dfeac3209654f3d27d8ae943765ba82a2e3ea97885e94c7a90785c1d557d8596a3f206c410ed3c40adb6ac783436fff69b5656240b546

        • memory/328-151-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/328-145-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1248-186-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1248-182-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1568-172-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1568-169-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1920-111-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1920-115-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2068-161-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2072-126-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2072-123-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2400-137-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2400-136-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2912-0-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2912-156-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2912-108-0x0000000000540000-0x000000000056E000-memory.dmp

          Filesize

          184KB

        • memory/2912-181-0x0000000000540000-0x000000000056E000-memory.dmp

          Filesize

          184KB

        • memory/2912-180-0x0000000000540000-0x000000000056E000-memory.dmp

          Filesize

          184KB

        • memory/2912-109-0x0000000000540000-0x000000000056E000-memory.dmp

          Filesize

          184KB

        • memory/2912-188-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB