Analysis

  • max time kernel
    134s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2024, 22:26

General

  • Target

    639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe

  • Size

    45KB

  • MD5

    636e5a04688045b7bb9e766678779042

  • SHA1

    ee262b0581b7504b8705ba9943b62f25fa9208fd

  • SHA256

    639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f

  • SHA512

    96fba92a7da299d8a2c90c3c91eac6b8852fc13a3e56ade7c94d0cf95d5aab4eaef13ca683c6406c0bb8321633b8a6f6a86f5ba1dd2a99260fb2f8ccf3f5a25c

  • SSDEEP

    768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nEE:8AwEmBj3EXHn4x+9aE

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Detects executables built or packed with MPress PE compressor 18 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe
    "C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4320
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:820
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3708
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2396
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5012
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1668
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1196
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1216

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

          Filesize

          45KB

          MD5

          bf30651a3499b5eb3c1bf12eefefbe49

          SHA1

          8cbf18ef1199be1d32c24d0452c8a8c6569eaeef

          SHA256

          5f1f0a2d55c24d6a34d46a45cd4d77214627a809029db4043e6c3a22f64ce25a

          SHA512

          d18ba418bef59264f491b7a9eb26773db66ed3d44989c4248369be9e04ed9ae80f9ff455e9cf70416ecfe182f8207d24a8da338d5d979d2e24e6d18784bc6dc9

        • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

          Filesize

          45KB

          MD5

          e08d7cf8a7a3e909dd4fe8ff680e53f5

          SHA1

          e5eaf3ef3351a42c1d7b30e694266eba990a643e

          SHA256

          cb09594e2b95ed6fa2463235857e237c45d11ad690d1b0690db19e0dbb921c68

          SHA512

          bb87f10611040c4cbd31207a2691224b7fe0065d850ab140ebc8dd88251f8c63b3576c6731bdfabca643c8f3f0d9d8d06581b584da89ff99abb50cdbe9e49cf1

        • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

          Filesize

          45KB

          MD5

          adfc1f2fcd4eb7ffb2fa1bbf75aff68b

          SHA1

          2a1c7d7e4ca924efa4fd8b67f613524b49f209e9

          SHA256

          e5cbb7661b29459299875bee1ca9327b15825797e71198bd0286af4ec1f61784

          SHA512

          87ea8bfbb5177ab9738c4415bfa447076a70553114d556a7b5ae58a1dab3313916f013d615dd7148d7ddc564e57698e1677f56030bd53236b0111c5fa1b94f09

        • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

          Filesize

          45KB

          MD5

          be043a994d136e1ec8ce33888e7e6139

          SHA1

          cfd9f2c68047b0cb8593d6142b92a6573c2f1866

          SHA256

          12850c894f33323f62c54c1eff48fbf40a4c3cea8e38f0e9524eee653d25c4e8

          SHA512

          b801ab41d5eaf458759d702efff7f39384a86d5963bb60bcb956a1d0b03998809ed420bf404ef8dc63f2b6fe91f4f30dfd18115599d609693b38ce3ee0e91279

        • C:\Users\Admin\AppData\Local\winlogon.exe

          Filesize

          45KB

          MD5

          636e5a04688045b7bb9e766678779042

          SHA1

          ee262b0581b7504b8705ba9943b62f25fa9208fd

          SHA256

          639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f

          SHA512

          96fba92a7da299d8a2c90c3c91eac6b8852fc13a3e56ade7c94d0cf95d5aab4eaef13ca683c6406c0bb8321633b8a6f6a86f5ba1dd2a99260fb2f8ccf3f5a25c

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

          Filesize

          45KB

          MD5

          8789daff15be061c694aeb82a0bfff23

          SHA1

          de1e5bec03e8cfa3b0805c946eda092963d607fe

          SHA256

          39da2ed049600ecc76770e32063e41ef69f30d01c9d7c77052a513dd96ec04fc

          SHA512

          aecbd484dc9c80c7805808e2a8e55f5ff4401b59d52ae92ae2f8c81701ad52fe1ec57f971020b86ff0b3ca476299ee64c6440cc847a846677a5cc8260e830854

        • C:\Windows\SysWOW64\IExplorer.exe

          Filesize

          45KB

          MD5

          e6815a06181fa25472254b6487365584

          SHA1

          37d5731147f59111baf7429af2bb0af8ad53f22f

          SHA256

          1d8cdbcfa2ddb0a69c37e4f43373e03584d88682d675d282fd1c5a6cbdc5f6fd

          SHA512

          2bbe9f3ebb6dda986986d03c94da073afd8d4fa83da6da3243d089e1116ee21a8364748c335e9f997c7531e04e0ae7795efb5fa7b2dbf97460c9c8ae1cf1faf6

        • C:\Windows\xk.exe

          Filesize

          45KB

          MD5

          0a11facc5fb553045b0519f18fd4ca93

          SHA1

          1fd704a01597c9ad20b079f26961570c015c3763

          SHA256

          8193fe38ffd8b1489b91e8700e25b0bc2b423880d7582abdd145cac4d7fc2391

          SHA512

          3999a69d8cfcd6f2c7de86fadb13874e0b76eb5a04271db8006fb89023bb7f48f85f599a506b5f2d78edcdeb93165b55b22e6d1206fee7923a1a4da7ab24a164

        • memory/820-114-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1196-142-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1216-146-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1216-149-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1668-138-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2396-123-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/3708-117-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/4320-0-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/4320-151-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/5012-130-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB