Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    30/05/2024, 23:52

General

  • Target

    816223186f467328e0376d1c3f8023888e0b16358411388ac4c78642fa3b8cce.exe

  • Size

    45KB

  • MD5

    04c22eb70441dd2c0a2662136d6cd9f8

  • SHA1

    ae9212efcfc6135fb6fd588bee304c5186854a57

  • SHA256

    816223186f467328e0376d1c3f8023888e0b16358411388ac4c78642fa3b8cce

  • SHA512

    228cc38de649ee93adfbd03c593afac6dd7b7403fed4fae8aed2988d25db273d54c4a7395dedbb8c9c972e64a4033269e49d6bff58f6ea1bda36eba192d0d8e9

  • SSDEEP

    768:PmFQj8rM9whcqet8WfuzHVHFNNqDaG0XjqGoxhz/8szBnP7DFK+5nEE:FAwEmBGz1lNNqDaG0PoxhlzmE

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Detects executables built or packed with MPress PE compressor 23 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\816223186f467328e0376d1c3f8023888e0b16358411388ac4c78642fa3b8cce.exe
    "C:\Users\Admin\AppData\Local\Temp\816223186f467328e0376d1c3f8023888e0b16358411388ac4c78642fa3b8cce.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2204
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2836
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2968
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2688
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1032
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2188
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2424
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2340

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

          Filesize

          45KB

          MD5

          6ee891fd3d38013258cc4537bd0eb97f

          SHA1

          249489c651df94df8b3fa385b1800d64be886b72

          SHA256

          f6aac6267e24a5bc41b260b7cc17879eb63bef550589b4557f05aec1897ecdd7

          SHA512

          aea8609c4dea70438692e401adbed34e9a9ef4a648e9362f20c41c0788822968f43f5fedd209807760d06e620740934356a8d7678fb4407ff5622f67cbb39ede

        • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

          Filesize

          45KB

          MD5

          14931c8827f330530f6bbac79afdec64

          SHA1

          9c7ed4b81071cee7c9b52c5665664f83e6502a61

          SHA256

          038227fbe66b91a0725819ea048ceb740c649b74c676357151e7e11112942de0

          SHA512

          c2fc902d45ba53896fb83b734161199edf3ea7cb5edfd42b436e1b3f43fe9b1fe5755f87f9df0bda0eb862c0ecaacb65ad22c9910b8aafc3e11ec00d932807e7

        • C:\Users\Admin\AppData\Local\winlogon.exe

          Filesize

          45KB

          MD5

          04c22eb70441dd2c0a2662136d6cd9f8

          SHA1

          ae9212efcfc6135fb6fd588bee304c5186854a57

          SHA256

          816223186f467328e0376d1c3f8023888e0b16358411388ac4c78642fa3b8cce

          SHA512

          228cc38de649ee93adfbd03c593afac6dd7b7403fed4fae8aed2988d25db273d54c4a7395dedbb8c9c972e64a4033269e49d6bff58f6ea1bda36eba192d0d8e9

        • C:\Windows\xk.exe

          Filesize

          45KB

          MD5

          b31f34510adebc921dbce02f30255e70

          SHA1

          1561f9aa83a2f5d2cef7d1c6cb03c037a75b183a

          SHA256

          7939fb3b85faa22d9e7ef7c20c4effd1d00671f7c383e16fe363667a4b2b7075

          SHA512

          a90ccd12d8bbb4e6812fae1aafb451b65fbc9f67d226a6bd33b41ebd741d3a06c6989cb27cfe50382db573f0638c367b5f7cc959ad07bff4c3cea2432c9ecec7

        • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

          Filesize

          45KB

          MD5

          91f259f445966fc205fa5644e1853e7e

          SHA1

          b6d49edf2b6db3d1700b99271eb759dd8e82a6eb

          SHA256

          76bc3ca6dfe670423b30c56bfc1887632a7a258b07efa41a118777ba1460f3db

          SHA512

          5aae4c76c719ab4f4a07478c3710df6bb26f2578d275c495da2e94ebc6919acd47ccc650504d6e0fc790fd72665ed3feb2ee32d21a0e89a901e8631c4ffd493c

        • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

          Filesize

          45KB

          MD5

          6ae167f1734ddc8e2a684039c479eb08

          SHA1

          44198e3aba6b4f65a9d7bd61d1a893673d3d179b

          SHA256

          a818716e93a56d8df247814f27bbdad7bbe08648f767346c410870f8f4562904

          SHA512

          0c5bfbb50dcd9686d2688862ee3853edd962ecfb164def36ab9619dac2a0e0c268995186dbd9323b9b21fbeb990da096d8e43f72471ecc11e154aee730d200ff

        • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

          Filesize

          45KB

          MD5

          e18615f33375da9e599f1d62397a19db

          SHA1

          ddb792d3adaa2af02a96fa960f9b94831f3d5aa6

          SHA256

          c9bda5f5842de0917b80453a53883185c0a72391e79c28c16c4d0a0aff6ea4c1

          SHA512

          cf83c1c217d8ee1873f7827c29c8948668168a6a3fe3b035f8be00aec1163ceaef994947a5bbd70ecb002487795ceb0d4984d9c4ec2274a9ff20a94f5f3f7f39

        • \Windows\SysWOW64\IExplorer.exe

          Filesize

          45KB

          MD5

          7bac6754dfe19c43cd7560536b038b69

          SHA1

          06360d5a9d7ba144ad41644b288c873f0075a4cf

          SHA256

          44da503b3a7c7ef08631e773bb26a890aa5e8375a192198b7cfc1f1e3e423275

          SHA512

          314a28b692ffc747113af84ba94924ba1f51edfadd43332f1dc0bb397579c46aa773a305a43315aa0ad4d9667b49846de69159791d035988569a1825f3589059

        • memory/1032-149-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2188-161-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2188-158-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2204-110-0x0000000002780000-0x00000000027AE000-memory.dmp

          Filesize

          184KB

        • memory/2204-0-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2204-124-0x0000000002780000-0x00000000027AE000-memory.dmp

          Filesize

          184KB

        • memory/2204-184-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2204-111-0x0000000002780000-0x00000000027AE000-memory.dmp

          Filesize

          184KB

        • memory/2204-169-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2340-180-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2340-183-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2424-172-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2688-138-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2688-139-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2836-116-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2836-112-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2968-128-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/2968-125-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB