Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    25/05/2024, 22:29

General

  • Target

    639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe

  • Size

    45KB

  • MD5

    636e5a04688045b7bb9e766678779042

  • SHA1

    ee262b0581b7504b8705ba9943b62f25fa9208fd

  • SHA256

    639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f

  • SHA512

    96fba92a7da299d8a2c90c3c91eac6b8852fc13a3e56ade7c94d0cf95d5aab4eaef13ca683c6406c0bb8321633b8a6f6a86f5ba1dd2a99260fb2f8ccf3f5a25c

  • SSDEEP

    768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nEE:8AwEmBj3EXHn4x+9aE

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe
    "C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1868
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:884
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2376
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1456
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2420
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2444
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1856
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:868

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

          Filesize

          45KB

          MD5

          4b0e07d057e4143e2fd202e4b923e175

          SHA1

          208a1839a3fbdac75a3198a4954e6bfb661f0d79

          SHA256

          b6eb4ef650951055827557a90d1b40841220a3613b226218ad9e668b38c3ddc1

          SHA512

          273b96e3a633a8e5e4dbf66eb60eff3b7e38be611a2db481144faa58115de90ea235e25e7b1a9d739812af36d2d8d3928b65c1a5eb62ba55261f0c7b8410e432

        • C:\Users\Admin\AppData\Local\services.exe

          Filesize

          45KB

          MD5

          636e5a04688045b7bb9e766678779042

          SHA1

          ee262b0581b7504b8705ba9943b62f25fa9208fd

          SHA256

          639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f

          SHA512

          96fba92a7da299d8a2c90c3c91eac6b8852fc13a3e56ade7c94d0cf95d5aab4eaef13ca683c6406c0bb8321633b8a6f6a86f5ba1dd2a99260fb2f8ccf3f5a25c

        • C:\Windows\xk.exe

          Filesize

          45KB

          MD5

          d9b1d9b09875348bf2c5db908241aea9

          SHA1

          23766d7e541419e074066a5bdf313598fe5a56f8

          SHA256

          2f049c7efddc0e0be97e0e89a3c14df9dd5c818bef05bea990e65def9e2ba75d

          SHA512

          b2cc8acc881c8de406c4e2cb7d81b931ec2f762ae6fa39fd7f7ed7f3b3c88f1f10ab24905ebf662398bd5fc80e82557fb2cb7539bbf896d35dd526e1316f3f11

        • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

          Filesize

          45KB

          MD5

          b15fceb5d5c61cb90cc03a7c5ecf68f7

          SHA1

          24605107c1072f74c06c11a037cec3400b64a882

          SHA256

          8b53663f500271a1c3f74af6b59020867c14914c50183b4bdff739449c81c14d

          SHA512

          c1f3e90a0d5afba6f351d478fc32d44b812aa34c09eb89ecd88d0ee4587dba7436f2dc578cdb341e269e923eb1c87eddbf3b3bf2a7204be3dc47dcd6ce136ff3

        • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

          Filesize

          45KB

          MD5

          cf6a7295422aa33f21c86fb5e905a8b6

          SHA1

          c304a8ff23cdf1593ef9b937f9e0cdee37ec71bd

          SHA256

          8d42b8bf50f76a965431c6229a0b7a07a700bda2963645f440b4d59eede0befc

          SHA512

          e48ffa853c0cac480ee29e452fe2a6691783d388021324700eaca9ff9ca0e38f778121c64e89678bced7bc4691bd538610201991f4179777b477b66069ce96bd

        • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

          Filesize

          45KB

          MD5

          4f80152e409be2baad4099859a09c2d9

          SHA1

          fe8169041b9c97ce36c665a19554ae11254ac1f3

          SHA256

          66849858deb27f7150e387c052131d2300b724bcbf6cd2b63eaeb2c0f6ec4a63

          SHA512

          d5f7f63390a0eb046ad2be7b590df09ba5d5d6ffa0d01a427b4d2a5b95cb1ba04a3fa62d9496041c21b7c0fb84405d1eb290d7d0f7abbd9c4a984cc5ca65cd4e

        • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

          Filesize

          45KB

          MD5

          42fa8fbf9baac4b8fd038519877d8d17

          SHA1

          d3be0702b7005ecfa31a5349adfe3406e92aa28e

          SHA256

          e8df3372156d26330d2a44a58fa659410023188a569bc265fba41ce0013e0256

          SHA512

          296137b263aa13fc56e66acf847f22fbc35977785397d43a93d415a2511506a4256acde2c2cabab6c9ee1ce81a51b21c651fc3a56bd5b6b2bc866d362f8ef8b8

        • \Windows\SysWOW64\IExplorer.exe

          Filesize

          45KB

          MD5

          6fdc45576af91c4f09a55d753448cf45

          SHA1

          06db0d40643957f1151d36ec78adf918bb20534b

          SHA256

          1f585798bd77c871e5c00a487e5955283ea887cd0fdcd432e107c063bf858a7b

          SHA512

          44da8debf55046bd0ff5c82011532cfc4ef985ee00698b461c35148fee90fa49de340bab6a51662681139047e83d3cedd280fdeec58f56828517b0eee2084d8b

        • memory/868-186-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/868-184-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/884-114-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/884-112-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1456-135-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1456-137-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1856-172-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1856-174-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1868-0-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1868-111-0x0000000000780000-0x00000000007AE000-memory.dmp

          Filesize

          184KB

        • memory/1868-164-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1868-188-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2376-125-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2376-122-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2420-151-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2420-145-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2444-161-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2444-159-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB