Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/05/2024, 03:51

General

  • Target

    dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe

  • Size

    91KB

  • MD5

    2835b0b18d506ee17195779b74fd5efb

  • SHA1

    22fee58891fccfb3acfa278d376e28be5f8726d7

  • SHA256

    dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93

  • SHA512

    df68607e4403a1d1330b46cb98da4bbb593f510b4bba99a2ba400139a315501b4374fcf2187480b0716b0474291018c81b730c6538cc1a54486f5e9a9b40885c

  • SSDEEP

    1536:FAwEmBGz1lNNqDaG0PoxhlzmDAwEmBGz1lNNqDaG0Poxhlzm+:FGmUXNQDaG0A8DGmUXNQDaG0A8+

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Detects executables built or packed with MPress PE compressor 22 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe
    "C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1720
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2332
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2496
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2300
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1664
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:760
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2444
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2704

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\winlogon.exe

          Filesize

          91KB

          MD5

          2835b0b18d506ee17195779b74fd5efb

          SHA1

          22fee58891fccfb3acfa278d376e28be5f8726d7

          SHA256

          dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93

          SHA512

          df68607e4403a1d1330b46cb98da4bbb593f510b4bba99a2ba400139a315501b4374fcf2187480b0716b0474291018c81b730c6538cc1a54486f5e9a9b40885c

        • C:\Windows\xk.exe

          Filesize

          91KB

          MD5

          d7deea285920b9b5ec4ea5ad9bf70941

          SHA1

          d9623a424025056dbc1454f70d638bf530ca0cff

          SHA256

          c9bc4f226cf1fa1379cafa44adf7542b3587798ba44b8f0c5a5ba799e3e7aad2

          SHA512

          d48d050ad4c9d24ad3e778f8d7e6fbd81c50a19336a8b8d3228895cdbb852072a221064cbdf2b0f74dab24203dcd81ae537888dc48c2cbd90183d09b078fa511

        • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

          Filesize

          91KB

          MD5

          70a1b4ffe5bd642e5524fd6812992ab4

          SHA1

          7b0fb1c8e3e654a00cd83c385faf6d339569d29e

          SHA256

          2194d6b56c39d6449ac2af37e14ed5bb703a7706822be6ba648fe4b0969a958c

          SHA512

          057a81b4bfd83ffb40e191b059544f3c44af900bde23d4a7defb953d24faa6e9dc4b1a635a8941341ee0b31f61d38e588ffd02685c32300659eac38881da01b9

        • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

          Filesize

          91KB

          MD5

          9d669fc6ea195329dfca2bda16a8f6e4

          SHA1

          49ba9dd41642749cb235dce02292bc0df8e1213c

          SHA256

          280b51b67cfd828c826e61c4ddf4c97225c1bd0bba5a45a140df04bc665b0079

          SHA512

          d1fbf73e78f3ca3a52b308bb80b802fcb6e61db67bd12112009eaa56bd36d0125b557d1a732043f197f00de77b31ad21bf073d2fd0dc28085f1b279e62985253

        • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

          Filesize

          91KB

          MD5

          3852c85af939ae35624e9743e59b8aa6

          SHA1

          a7a6635435deb35daf9f4cf30111ae65933ab891

          SHA256

          ad3a88fd8fce2f576d60e1d89791a66a4c9f2279c0438cd6e06b923cfaafc6df

          SHA512

          a0e071f617ea72c4942ecac7f83e0cf67f66bbb1b53d9b5ad436f1e9e25ed34e796b0421f984bef9ad5aa885e5c274b24b98bc9fa1089b1cc1aef020453f2921

        • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

          Filesize

          91KB

          MD5

          7e0f131f643fc35864884b60acc9bc29

          SHA1

          6e94d31a3032d4888cfbd04e4d83fd3211e1d1ed

          SHA256

          766249c372a13a49f72f26b4bfb90897e5526642121114bf333620a371afd81c

          SHA512

          2b53ac7ab942f44e610d8a62e21c290c064a9cafd7df30ed5eff5c630c8970b4a6a094a2769147b549a45868172b645d4c172e0c72efd9dd5ff88aac3f636eeb

        • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

          Filesize

          91KB

          MD5

          5cc2f01aec8c0543eabed83592ed878e

          SHA1

          0b97f8d4c78040494bc6f5af7a3958ba78ae373e

          SHA256

          06a37d24e65c75e6a5a87c990dccb62c73476d2d3118c52933900550923b3bd7

          SHA512

          28b290b881d1f07068b226a20fdf2e312bf455bad1a48372be16fd796625bd00b4e68abf89ef3c6b1a5602a29223be1b1605c885e537c69b18dc933fe8d5d4f6

        • \Windows\SysWOW64\IExplorer.exe

          Filesize

          91KB

          MD5

          62627a96a0ad5ac26f930cc8d5356c35

          SHA1

          06141054829c3c36cb14eeab15e30606951bb924

          SHA256

          727ad227afa3362e5e16776edb5c6a06ecfa9db39fe4e9422083083498423d99

          SHA512

          85efdceffb3786412e6dbc7cc52c249193c9b763fe1f0b04e2930bb28c2a0d21d00f6cf827b0f94cace468a9b3b80ebce4ce9287907bf6789453e94d0cb145f2

        • memory/760-161-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/760-159-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1664-150-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1720-0-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1720-110-0x0000000002520000-0x000000000254E000-memory.dmp

          Filesize

          184KB

        • memory/1720-157-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1720-182-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2300-135-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2300-137-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2332-114-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2332-111-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2444-171-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2496-125-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2496-122-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2704-183-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB