Analysis

  • max time kernel
    134s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/05/2024, 03:51

General

  • Target

    dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe

  • Size

    91KB

  • MD5

    2835b0b18d506ee17195779b74fd5efb

  • SHA1

    22fee58891fccfb3acfa278d376e28be5f8726d7

  • SHA256

    dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93

  • SHA512

    df68607e4403a1d1330b46cb98da4bbb593f510b4bba99a2ba400139a315501b4374fcf2187480b0716b0474291018c81b730c6538cc1a54486f5e9a9b40885c

  • SSDEEP

    1536:FAwEmBGz1lNNqDaG0PoxhlzmDAwEmBGz1lNNqDaG0Poxhlzm+:FGmUXNQDaG0A8DGmUXNQDaG0A8+

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Detects executables built or packed with MPress PE compressor 18 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe
    "C:\Users\Admin\AppData\Local\Temp\dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2340
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1600
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4208
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3016
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2480
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4724
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3652
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2492

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

          Filesize

          91KB

          MD5

          a5c3a51c086f63c9dd44c35e3dc9228c

          SHA1

          da79eda929540760e40f83f28fcd8c3958228cdc

          SHA256

          af91cd9e3aa86a5c37468a6d66e0b6dbd25692902053639968604902a85045a1

          SHA512

          6f66de9033667541f77b1d89527c16eff6159b838971913b42133d181f2cdfc28291112e166bc951a7c1ce3c8b680063bff488d7cbaae96d786d7e9e5a99ac5e

        • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

          Filesize

          91KB

          MD5

          dde2b831ac85a7ffc2dda2fb7b156785

          SHA1

          696b79dc74918737c0eeb62aebb90191834f388f

          SHA256

          fb8cd369c7d908e3443c96ccc82c645b1928ee7a0aea064d37463c44d600e254

          SHA512

          5b8d2b9943330ab321193486a556ce34b798174148df1e5fbb249279cef113cf71d6765ce6dd7a36e3cbc66812f5627efd3683edb3b452ff4a9edb37df669095

        • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

          Filesize

          91KB

          MD5

          9438b88fbf174389c124d6301269cbcb

          SHA1

          dd22bd0f6b3d07ce9d2a8a328b9d561d66b35101

          SHA256

          b4cc04309abd18cdd6dc29c5705b50595ce5ae687d0b44bc64a35d92e64742ae

          SHA512

          0686164ac898f2214e045a9732680422d23fdaa48a872ebe68b62515ebeeb2b1de792d95cd0007c7feca6217e5c05fc803b6d9e0fe9ec7634977ed931ac0129a

        • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

          Filesize

          91KB

          MD5

          47d20245560a6992ac6765f47a499709

          SHA1

          597753a105feeb4a7e8095b11c065c2cc1af42bb

          SHA256

          a94d3174c1f89913f952603829caa2d7b64622c4713437dcd0960f6b02b277b1

          SHA512

          d30a035a971e3cc46c450ef63f515f196ec72594a28b3dc5f9252b14d0f20379db256ea96fd3f82d22d521abab51db31883342e07c6c3e898bb1ee54e034e06d

        • C:\Users\Admin\AppData\Local\winlogon.exe

          Filesize

          91KB

          MD5

          2835b0b18d506ee17195779b74fd5efb

          SHA1

          22fee58891fccfb3acfa278d376e28be5f8726d7

          SHA256

          dea3c6095224ec27d9656783895fc59fe9a3a8a26b0304a6a2733e4481761c93

          SHA512

          df68607e4403a1d1330b46cb98da4bbb593f510b4bba99a2ba400139a315501b4374fcf2187480b0716b0474291018c81b730c6538cc1a54486f5e9a9b40885c

        • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

          Filesize

          91KB

          MD5

          c436b301f9588ff17d835b76e98731ca

          SHA1

          d9bb7696ef72698defaa42b63fcec42dd9a0798c

          SHA256

          ab0d36a5911cbb89f89e3356fc8815364db9b7efa182c23ccabbeff2d8bc4e0e

          SHA512

          9a9a8299f67447acebb5ea7c2476faeb4fb917b052490778519bb4370842995924c6305944df2e27c139571b68c7b1b47f95bb98e2713784e10e3ce7afb7d93e

        • C:\Windows\SysWOW64\IExplorer.exe

          Filesize

          91KB

          MD5

          81c3e4d144481943e744a51f7d5704d7

          SHA1

          6c1da16e8c9d441795a8a063029c516af6e32a9c

          SHA256

          d7e82662fb681e17b1294f65c3284e371d2d7c6acc3b4858708085bc19484f51

          SHA512

          d18ed055bcefb5ae4f7acf20499ba6fdbaccc95a473eefcec7d163f16312507a3bb7c697c755fb636845f525c225fb677a811585958c3fd8cdee49b5683217a8

        • C:\Windows\xk.exe

          Filesize

          91KB

          MD5

          6aae7800264cd455514e6dc707abb33d

          SHA1

          0340e043c29bfe242a19bd2e7b4f848c17822497

          SHA256

          87f13175c6c7c8a98ccf7a63c336a9775a9ffe8031af8f6e081f511245e9e0ad

          SHA512

          3f13549491d0f7e566c00bdc35081b01cf513085354489bd30c497951388ec66508adc321653e68969d7bc6d7b3a27353d8f0d6e49f3e3a048b5385dcb58be27

        • memory/1600-111-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2340-153-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2340-0-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2480-131-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2492-151-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/3016-126-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/3016-122-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/3652-144-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/4208-121-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/4724-138-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB