Analysis

  • max time kernel
    133s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2024, 22:29

General

  • Target

    639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe

  • Size

    45KB

  • MD5

    636e5a04688045b7bb9e766678779042

  • SHA1

    ee262b0581b7504b8705ba9943b62f25fa9208fd

  • SHA256

    639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f

  • SHA512

    96fba92a7da299d8a2c90c3c91eac6b8852fc13a3e56ade7c94d0cf95d5aab4eaef13ca683c6406c0bb8321633b8a6f6a86f5ba1dd2a99260fb2f8ccf3f5a25c

  • SSDEEP

    768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nEE:8AwEmBj3EXHn4x+9aE

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe
    "C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:780
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3044
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:848
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3580
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4528
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1112
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1244
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2092
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
    1⤵
      PID:1112

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

            Filesize

            45KB

            MD5

            6c898108e26dcc674592a582c09d42f3

            SHA1

            d8b18f8117428625c61ffc8cc138c1fc67bb64e1

            SHA256

            4d8a0be61bec8f1cd743173d26b1e76f3d05b4c686cb825f6d7988afcd3da822

            SHA512

            1aa895b8c53bc8ea29f18595a33ce84cbdb9f8562d02b914c4d0d149941d53a0e2aa455d796995f9b7d01af81226f5e50fae4898565327b7ad1479e515ded276

          • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

            Filesize

            45KB

            MD5

            7de63ebc6d4ea9dc59851d2847b016c3

            SHA1

            5f88707a80b920c0a32b9c6c61609d88dcc8aa63

            SHA256

            5596f53d5883742ea48545358e56ec657a68a49d9902bd461015ba834e8e7a3d

            SHA512

            ef24fc5748e4153cacb3622b266f8f99a939129abeff94131333577be2de8d8d1b1b17dc33a3aace172702d374b4cca97635f1696547d9841bd0066edbaa369f

          • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

            Filesize

            45KB

            MD5

            821fc71bcb3ea2a28081816b42d1e341

            SHA1

            9550a21685468762ad281385f4e9c18ce4ccaa9b

            SHA256

            62ca0ae29e6b93c5e2f0640030efe1e85677d0c4669c619c5556ebb8ef5df1a9

            SHA512

            71f3ee788b3f789048b019bebf5c4348dd6732cdbcdf4f00c7d0d3b3e0ba34a5fcd23b66fc7e071d7ff914ef2ce1502078e11c286e670248cfb93892622289c7

          • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

            Filesize

            45KB

            MD5

            ff20475cac107e2d635d051578a31abc

            SHA1

            57311708f527056e0869f460466a9c7f553061be

            SHA256

            caa3ddcf67e2691e44f5b9abf21ea1845750b1cf604200252650687571a9924d

            SHA512

            738c1aeb880204fdce66b96cf68a7ad5c54219e1fadf67acb3df8954e5433e5b4146051a30e93631fea4742b7bb9dac73fa1035854bd1f8e3d0af1fa0908694f

          • C:\Users\Admin\AppData\Local\winlogon.exe

            Filesize

            45KB

            MD5

            636e5a04688045b7bb9e766678779042

            SHA1

            ee262b0581b7504b8705ba9943b62f25fa9208fd

            SHA256

            639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f

            SHA512

            96fba92a7da299d8a2c90c3c91eac6b8852fc13a3e56ade7c94d0cf95d5aab4eaef13ca683c6406c0bb8321633b8a6f6a86f5ba1dd2a99260fb2f8ccf3f5a25c

          • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

            Filesize

            45KB

            MD5

            731122c223e7d4f3638585b1d9069899

            SHA1

            c5aa04b5647a236576d819a2e43025bc8e6453a1

            SHA256

            a89f920e0f34a7a090cf45ba0d812e1291fa40c1b72f1d1a5f8e87e58cf2ff0c

            SHA512

            f8589850fe4e7945dc2fd39b8fb57ff50dcd41aafadc7f218d0ed3b5d2aa586e7adb0cc03ccfcef1ae2ee2ba2a87f4eefc4f2cfd8729527eddc6510a8ad2a376

          • C:\Windows\SysWOW64\IExplorer.exe

            Filesize

            45KB

            MD5

            508977c2bdc9fd07d007341d84e832f5

            SHA1

            dfcb0ca1465caac2991b99f8437be91d4714344d

            SHA256

            aea4b21684bdd06b1d3c58b60fb585a15857eb4a03690f2bc59e20a2894f6bb4

            SHA512

            66981c80506f16dd1a5c9bc68fa8f83a1183ddb2686f3bf667ebcbed40aae4945283151d7cc79139d4544fdbe9a24c979f1bff8c5e559333e32088bd1900f4f4

          • C:\Windows\xk.exe

            Filesize

            45KB

            MD5

            0a58a3fe4ba558abd31e361d97a86b08

            SHA1

            c4100774f9e1db36f1b49578564fb70dbdb2630c

            SHA256

            0baaa876a1b6d0c635adb6d591b3a85c0d4dee25fe98a181f43d98b7a6ae8a78

            SHA512

            a59d6f679dee6b1b6cb0048c0cb2f5e6b365aa2c99579828ca3292136944d98da1d714019b9e03506c2c7f92ace15c1ed7683adab578f25b21595cc57015845e

          • memory/780-0-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

          • memory/780-155-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

          • memory/848-118-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

          • memory/1112-140-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

          • memory/1244-146-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

          • memory/2092-153-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

          • memory/3044-113-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

          • memory/3044-108-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

          • memory/3580-123-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

          • memory/3580-127-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB

          • memory/4528-133-0x0000000000400000-0x000000000042E000-memory.dmp

            Filesize

            184KB