Analysis

  • max time kernel
    140s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/05/2024, 22:26

General

  • Target

    639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe

  • Size

    45KB

  • MD5

    636e5a04688045b7bb9e766678779042

  • SHA1

    ee262b0581b7504b8705ba9943b62f25fa9208fd

  • SHA256

    639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f

  • SHA512

    96fba92a7da299d8a2c90c3c91eac6b8852fc13a3e56ade7c94d0cf95d5aab4eaef13ca683c6406c0bb8321633b8a6f6a86f5ba1dd2a99260fb2f8ccf3f5a25c

  • SSDEEP

    768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nEE:8AwEmBj3EXHn4x+9aE

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Detects executables built or packed with MPress PE compressor 45 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 24 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe
    "C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2076
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2420
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2796
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:312
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1344
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:368
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:748
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2292
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3008
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2988
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2904
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1684
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1148
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3024
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3052
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2844

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

          Filesize

          256KB

          MD5

          6bee9adce38c3d5f68b747c8b20b8128

          SHA1

          47b9c2951a719685a1c2c66dce786a87c3973f90

          SHA256

          3253e607b66e9fbe3deb5ae9e79b3965aee7439735cedca3f58ab56f4120b8ec

          SHA512

          7fae9b7736af5c4ef9e620a1564b956dee91f40fc5cc68fd0211eb281c88eeb63f0522aeca177f38c1d74eb8c2bf5da67b8ec34155977dbca3ad4c02fd453796

        • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

          Filesize

          240KB

          MD5

          6fc0e53c359f3b0ebab08c034a3f9fbd

          SHA1

          f7bba75f3d1ddd0fffc5f6404c94823bf570c313

          SHA256

          afb525267b7024f9585f0c31335718eb8f66d1ddc8c1afa785c8928b803f19ca

          SHA512

          af15ca8354c0882a9b8e92c0a008278e060145b02eebf4d13496da0ff8e217e61fbee1462d2932d0e75bef32d0582c48096a2e3c5044e797a8a51bfbc967b7eb

        • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

          Filesize

          1KB

          MD5

          48dd6cae43ce26b992c35799fcd76898

          SHA1

          8e600544df0250da7d634599ce6ee50da11c0355

          SHA256

          7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

          SHA512

          c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

        • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

          Filesize

          45KB

          MD5

          a5a21dcd25f3f6b405179f49bc2655a8

          SHA1

          60c326bb9abdaea2d4a07e187179e58cd93d7987

          SHA256

          6adb266cf65839b59a8a2edd227ac3fb576252af3387767bfd8ec4784cc472dd

          SHA512

          ce4c74eac6f46e92c69051b40a9ca266982cb98009f07308efb409475b8ca434eb3a193f9466f62dbe61f1e33ba482d5d73ab018ec8f9f5c62368c520c32f02a

        • C:\Users\Admin\AppData\Local\services.exe

          Filesize

          45KB

          MD5

          636e5a04688045b7bb9e766678779042

          SHA1

          ee262b0581b7504b8705ba9943b62f25fa9208fd

          SHA256

          639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f

          SHA512

          96fba92a7da299d8a2c90c3c91eac6b8852fc13a3e56ade7c94d0cf95d5aab4eaef13ca683c6406c0bb8321633b8a6f6a86f5ba1dd2a99260fb2f8ccf3f5a25c

        • C:\Windows\xk.exe

          Filesize

          45KB

          MD5

          cbe3d85ef31aba51b8531122fbf756ea

          SHA1

          9cae6100ec56cce176d84a9e36b1ed1d6bcfaf43

          SHA256

          48b675f8ec444e2c99383223490cc96d5af25ad2402b76af5f3cea82c89fe237

          SHA512

          32e618bcdc35b3a7472380d58639cd9f460aeb6e3e33859d08a2283ac4b68f45b7140424fcf501c1c91c126f2fa6ab0b08cdc1bcdfe0bba5db56add718f23284

        • C:\Windows\xk.exe

          Filesize

          45KB

          MD5

          56b428d340994f196376523a2d08d13f

          SHA1

          b5019ed496cd52946cf1e821a9394b080924ab1c

          SHA256

          5ee1aca367d31dba740e0ea23b988a5504b5ec2d549b42f169b81ca7df660a6a

          SHA512

          11d9a3345c67bd8764644fde5c45b13602b4d1f442e5a47f3cc271056a41a49033ec69b7e60d2db8326ab61c681aadd2c5ed4080c03f95ab81ed30e06a94f151

        • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

          Filesize

          45KB

          MD5

          07336e97096a76d94da07929d5104aa4

          SHA1

          3852b49c868740b0204a698031ab583984a0f0cf

          SHA256

          3936f0037a1f56ea94f7a30eece6f8d177ec22c1440f62cf144d655fd80a2b97

          SHA512

          39e0efad82270416bd6d64b10c7467277827bed488d02a82e5627207a283ef6d81347a11a26f30feedfd32975533c943b58c02ece2ee48bb5657a8cfbe00dd5a

        • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

          Filesize

          45KB

          MD5

          e164ea3d85b1a985a016817c4bdd7ae8

          SHA1

          194db080b94c6fa75d60a802eb425c2ce06351b9

          SHA256

          8733a7d556a8fbf4fbec41c0128f8331dbfe1a1a5e0b7ff7a05c07d4926568de

          SHA512

          d68e47aaf30feeba58ceb185cec532db57bf13c901386875a9467306c9f324defb60c4ccbe100da387b3574a139d8aa45669aedf91732597a40b95fb80c97c3b

        • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

          Filesize

          45KB

          MD5

          479dde8ef252c19ffcbec1f5359ab4bc

          SHA1

          339234e36878b1cd0fe5bd168463c4e6d42464ed

          SHA256

          7223c11e8a9ba856f7705875e39050fb0706e85f5ee938dbfc8668f78d2a07c0

          SHA512

          bffc211153d5902ce4d56489a6fc5079ef5d24feb7bedbd8fde5d445488262b2072a7c0abfd78cb68ea4a7e49942e015d9840c427fb9306f38fae0392ed57da7

        • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

          Filesize

          45KB

          MD5

          9436fe8030e00c10f67135f9c520c713

          SHA1

          4d99734d61102bfdc789e2b52327206231208c7d

          SHA256

          300a927abe37c346b35f5a2186c25ad64d48cb59a0bb14b86c517ff4b0a07b6d

          SHA512

          9527b7d7ca77a0521ee1aadb3e092b6bd5c2b5368dd0c20fb7099950f72635af4d860badd49c9ceef52893585e08b668e63231bb8138fa2fe16a705b68e7b5c3

        • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

          Filesize

          45KB

          MD5

          66052f25952a48d05b980ae87518614d

          SHA1

          088dce134bf1b83eac7350ee7a2bacb5a1d93d92

          SHA256

          447dcc6a82ed9f8593c7123ec3aee527846b0b7028a1d79d1e91d71b4382e282

          SHA512

          0a05196c831e920e8bee561c83cad182953cec8818756fb936186c198ec96ae18a7f0864e002ec13166ff5a63a45f244a45b8293e5f10c9b0eb843c15003e3aa

        • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

          Filesize

          45KB

          MD5

          9973b2c296a65c496b82a08aca5889ba

          SHA1

          173581916d39edf8f5ac7bd9228a1b22f2ff30b1

          SHA256

          929040754750a1edbedecbf0e7e225e251ce3a7992d5ac3f2203d3b1ef2c78ce

          SHA512

          49ac35a53105dd608e678db74bdd9d0552ac2908c97e96f3f5b8400708da8b53b6543f284f166e4685f5d37acfd9dea46be6a8cef1b8e7b0aff1c846153c4b79

        • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

          Filesize

          45KB

          MD5

          7f7fad8079e534a15f12d2b2ff92ef49

          SHA1

          6924daff6b2483ffcf7eed31abc0aa6ed8897b85

          SHA256

          9f4c7052253b67437d141e6ef95f3874fbb5f58c04f19d2a27141fb72dc8cc7b

          SHA512

          0474c5f41f395df2898014cba4e029fa1fb19b0e866ea91073841a18358c6d72e9fd90c10c98c10c5db988233cb9a2a2c05e1beebb05378e039692bf8f5bebe8

        • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

          Filesize

          45KB

          MD5

          15227630e6034a235d6d9283367144b8

          SHA1

          c4b9d179b68ae4130574adb4c76707d6305ab4cc

          SHA256

          841ef5c3ec75c5f48577f1d3a91aa79524a6ad30958bef9c545c3b4f6543e7b1

          SHA512

          3ccbcdc009ee39ee1c1c708c8faaede9622e68d9f940c97440ac1853ba9461edc63302c8e15d1ce3239110613a1f970b198235ff772b47a828ba9e70be766f81

        • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

          Filesize

          45KB

          MD5

          8cdb22cfe57ad631d89a9e9d8fc4bbcb

          SHA1

          9af7950ae759cfeea7142c0291874f3666face49

          SHA256

          311c41ff1b7e89c6eef0e95a847ab2493d5853d2e74e427264a04e06f80c308d

          SHA512

          cbe591e819f6f6799172232e4eb43cc58874dfbbe622280c59c53e6d7762d8729416b8b8b2cb85af43f9cffc6327b71b1cfa471b8755b6ab0a7f78338ab4e56b

        • \Windows\SysWOW64\IExplorer.exe

          Filesize

          45KB

          MD5

          5e1bc18182d07d225e7d16be61471dd7

          SHA1

          790f7ec1a0b6b29dc9af30a093878a08965ba4a6

          SHA256

          8e4a64f0185bda47b20a8a17a7fba7e747b94869384f32c02faea92aed3f3734

          SHA512

          c9a6668d0d0bf46b93acdbe9f84448a28b150729459c8bd40bbbe5ffa01afd21e74a2ddcb58c18534b760405309ffd2db7d722412eaaa1975ca9109bd5af9475

        • \Windows\SysWOW64\IExplorer.exe

          Filesize

          45KB

          MD5

          aae51a1187d5b84625a814897a8c3deb

          SHA1

          030b7a0067d8fbc0dc1ef4e9ab3097f9cdf8a211

          SHA256

          862dd064b44272c2663256066a57dab9879f34ccd42c9605600a38a0d4a7b148

          SHA512

          31b04f7a896e4fa3bd534db447f817062ae29147ca27240fc6b44e93e442bd2c412937d83c35eb1078a8a9923734a9795af0e84c67cb65bd6e0c41a3e1f183fd

        • memory/312-136-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/368-159-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/368-156-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/748-169-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1148-293-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1344-147-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1344-144-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1684-281-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1684-275-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2076-238-0x0000000002780000-0x00000000027AE000-memory.dmp

          Filesize

          184KB

        • memory/2076-287-0x0000000002780000-0x00000000027AE000-memory.dmp

          Filesize

          184KB

        • memory/2076-0-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2076-469-0x0000000002780000-0x00000000027AE000-memory.dmp

          Filesize

          184KB

        • memory/2076-467-0x0000000002780000-0x00000000027AE000-memory.dmp

          Filesize

          184KB

        • memory/2076-466-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2076-233-0x0000000002780000-0x00000000027AE000-memory.dmp

          Filesize

          184KB

        • memory/2076-274-0x0000000002780000-0x00000000027AE000-memory.dmp

          Filesize

          184KB

        • memory/2076-273-0x0000000002780000-0x00000000027AE000-memory.dmp

          Filesize

          184KB

        • memory/2076-272-0x0000000002780000-0x00000000027AE000-memory.dmp

          Filesize

          184KB

        • memory/2076-108-0x0000000002780000-0x00000000027AE000-memory.dmp

          Filesize

          184KB

        • memory/2076-177-0x0000000002780000-0x00000000027AE000-memory.dmp

          Filesize

          184KB

        • memory/2076-150-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2076-290-0x0000000002780000-0x00000000027AE000-memory.dmp

          Filesize

          184KB

        • memory/2076-289-0x0000000002780000-0x00000000027AE000-memory.dmp

          Filesize

          184KB

        • memory/2076-121-0x0000000002780000-0x00000000027AE000-memory.dmp

          Filesize

          184KB

        • memory/2076-286-0x0000000002780000-0x00000000027AE000-memory.dmp

          Filesize

          184KB

        • memory/2076-133-0x0000000002780000-0x00000000027AE000-memory.dmp

          Filesize

          184KB

        • memory/2076-296-0x0000000002780000-0x00000000027AE000-memory.dmp

          Filesize

          184KB

        • memory/2292-199-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2420-114-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2796-125-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2796-122-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2844-341-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

        • memory/2904-266-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2988-259-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/3008-244-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/3008-239-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/3024-312-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/3052-316-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB