Analysis

  • max time kernel
    133s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2024, 22:14

General

  • Target

    5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe

  • Size

    45KB

  • MD5

    4eae1eef38400d1e90011f887c700932

  • SHA1

    172988046bc829608da1865c5d1c942aa22493d6

  • SHA256

    5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54

  • SHA512

    3b61e37f0129b4163f21834cd82afe5bca4a1e431164e2065fe729d7293e38ef9a66297d2bcd9fb8822fd0921f7a10cc8f47ecb3fdca4cb6a95501a4f08f16df

  • SSDEEP

    768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nEqP:8AwEmBj3EXHn4x+9aqP

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Detects executables built or packed with MPress PE compressor 18 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe
    "C:\Users\Admin\AppData\Local\Temp\5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4388
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1724
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2268
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4668
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3536
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:608
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1496
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4240

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

          Filesize

          45KB

          MD5

          6ca525e3e833ca6bc0e11488e22863d9

          SHA1

          61bf9528de29638e048f59fe2fde9ec76ed68b78

          SHA256

          5ec1f841e3179c36a12786f0c12107426d58a39d1292b1ef524084a102b48f13

          SHA512

          b5eb7d10321d80da5c355f04ce094c0de45a2be292804076963c5b01d1aa24dad8be1caaa4d954775e88c420df5da474efccb98a989016d08e7b24beda20698e

        • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

          Filesize

          45KB

          MD5

          4e2c2bc2e086de273f574deaf3bc394d

          SHA1

          fbf6ecc1b1a790a8e3c793c1610c2de39ec56a4e

          SHA256

          c640c05ce95da18c9f35174fdc0fdd25ddbe99a5c43ed380978086888c27fd2f

          SHA512

          feeb012f518888c51aee47dd139dc0c256117515048824a1f685083118924049f84f3010cdfc32713850cb65a68af31d2e7476101f9cb35e2c9f919a7371214c

        • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

          Filesize

          45KB

          MD5

          495c7c969724a5e4265b49eb4dc6adb1

          SHA1

          bf8bf19ace31a35373eae0e3317eafed0289c0f7

          SHA256

          67a136377f523e6c3b0536c578e9c5328285e08725bd1a419be6e7f4398f8421

          SHA512

          d1cb7e0fdc14019e301b63aea7d40d190f9e4b580b890f0728dd29793268f6d47baca980354b8c2ce5cdbc8db6c0b8cfe3efc61f5aab5f1320335e950e242834

        • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

          Filesize

          45KB

          MD5

          fccb4bd5998eb636d14aa784b5ca4d43

          SHA1

          21ac50f2d23d2e12f2749c7879167d26c8c1881b

          SHA256

          9155a1d579eede6d3003e091a42f68b8433ff9ca4aea466a8b997ab2a3742173

          SHA512

          d928dd6683ef9ed805ccd9099006c61b4493e60d6bab7bb8dab99bf56fcbfb48fb478f353568dde14c74eb7cd060121975e20985e843201eff489ec50d7e8c4c

        • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

          Filesize

          45KB

          MD5

          c87e6ba06cfd691f716d75d6ff8e7f48

          SHA1

          1c4c3a318e5a5aa1394fdcc05ac7fdf804190662

          SHA256

          d959b5fbeced78bdae9710f7b0e5d79593bc9a3ea002acbe4a30565e34001ad1

          SHA512

          5ad906ea775cc457fba9b090c539ff3f9f7854f23ce3c7e9d8090de190c85276b952be91e82abef433f25b01a1d98b30ffd1571bbd808d8150f635d8dd6de49d

        • C:\Users\Admin\AppData\Local\winlogon.exe

          Filesize

          45KB

          MD5

          4eae1eef38400d1e90011f887c700932

          SHA1

          172988046bc829608da1865c5d1c942aa22493d6

          SHA256

          5e808b1bd3e09ffad93137ec586e2eb137412382f8e5642febce0a689e6e5b54

          SHA512

          3b61e37f0129b4163f21834cd82afe5bca4a1e431164e2065fe729d7293e38ef9a66297d2bcd9fb8822fd0921f7a10cc8f47ecb3fdca4cb6a95501a4f08f16df

        • C:\Windows\SysWOW64\IExplorer.exe

          Filesize

          45KB

          MD5

          e9c5413f77e1af8dd6f89b0a5c6a13d2

          SHA1

          f2666b1b9a375c4d752a719b6fbd7eeca23b0480

          SHA256

          9e4f333d8235e0171d801cf3116234e6884e942d01a0faac5b97135b5274322f

          SHA512

          0e383c4cc8a39c1dc436179ac84eec069f3e422863fa1d47605bcb7f6b8af62f6d207409de32f3c9be949c8f98b1760a4a935a25e4fff52685367db780fc0db7

        • C:\Windows\xk.exe

          Filesize

          45KB

          MD5

          b3d569fd8d3fe816bce3bec44de87f0c

          SHA1

          0387bcf13d2d562d9f326ea277833f151a213647

          SHA256

          dd66aeac3e21a3fbafec51876dc181edff98a6170f3c13aa352913723e69854e

          SHA512

          eb7c25980f073ae81a10c760dc59a81c982f95032c565243242b5acfdf718f41b6bd9ef1a8a7cbd66686e525d1ffffffab0e4a58bf2e1beae9ddd38fbfb13ff5

        • memory/608-140-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1496-148-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1724-113-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1724-107-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2268-119-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/3536-133-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/4240-154-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/4388-0-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/4388-156-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/4668-127-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB