Overview

overview

10

Static

static

10

816223186f...ce.exe

windows7-x64

10

816223186f...ce.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2024, 23:52

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    816223186f467328e0376d1c3f8023888e0b16358411388ac4c78642fa3b8cce.exe

  • Size

    45KB

  • MD5

    04c22eb70441dd2c0a2662136d6cd9f8

  • SHA1

    ae9212efcfc6135fb6fd588bee304c5186854a57

  • SHA256

    816223186f467328e0376d1c3f8023888e0b16358411388ac4c78642fa3b8cce

  • SHA512

    228cc38de649ee93adfbd03c593afac6dd7b7403fed4fae8aed2988d25db273d54c4a7395dedbb8c9c972e64a4033269e49d6bff58f6ea1bda36eba192d0d8e9

  • SSDEEP

    768:PmFQj8rM9whcqet8WfuzHVHFNNqDaG0XjqGoxhz/8szBnP7DFK+5nEE:FAwEmBGz1lNNqDaG0PoxhlzmE

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Detects executables built or packed with MPress PE compressor 19 IoCs
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\816223186f467328e0376d1c3f8023888e0b16358411388ac4c78642fa3b8cce.exe
    "C:\Users\Admin\AppData\Local\Temp\816223186f467328e0376d1c3f8023888e0b16358411388ac4c78642fa3b8cce.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4404
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4964
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:448
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3536
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3716
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1588
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2236
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4452

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
          Filesize

          45KB

          MD5

          1d826383f87db94ea77fa1e645578a62

          SHA1

          fb9d78bf53da7e12dc6dd483b15e5437188d59cf

          SHA256

          e08394690ea5e4769107a580c9434631b05b80938f0df914878779ac68218448

          SHA512

          2c9ee420682c3e28e47563b4c1857c7da1074cc81fb4006ad5718d01b6479db97ee3228ae1f2d4640989f23ad8e1858fd7d9a418b6a8736f222fd4889f339e3f

          Download Submit

        • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
          Filesize

          45KB

          MD5

          c5d181c54cc3674a586b793e8bbb2624

          SHA1

          d1259553f008287e0405fd80a6c6eac55ef89bb5

          SHA256

          7757a44f7ca3d55aef9d8a871644102e6771a8ed6cddb8d8637cdaa5051146b2

          SHA512

          6c92b917cecf74d6a84ac79d66d2f9facee45612273551a5566a470a96865410dbb65bebb240874c431172ba8c294024482ee3c45cf4b0e0630b4e0059f3cc36

          Download Submit

        • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
          Filesize

          45KB

          MD5

          2a0142420905227eef9b596dad9fe12b

          SHA1

          6a8c47499c71675bb0bbd29414790c27b542a476

          SHA256

          142d27fbf76d0e428946a2dc73b32d55d9ef0017a1818698793f74bdf0c87f88

          SHA512

          7181f14cdc8c609a06899596a87c68d1bee5a80b8c9d1b55de3a1e9cf4458a69b58780c1535d636fcf2d002a4c8d108df7c93b28cb2587d867ab9dcbe05bd005

          Download Submit

        • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
          Filesize

          45KB

          MD5

          34e71f3c2f054fcb7813a36d13755a4c

          SHA1

          bcee0b476400ab63fa0b0ce7ee3f0edf634830fb

          SHA256

          5779ee74419cbea1c20ab3044a8f500f0567fa253e040a29ce5b7996b0f1c328

          SHA512

          f11fa663b4d4ee9a7a634232b46b66867258e7860c2ee0437094aad0afc80ecef06db7cbe5045d6cd37374d0d3ba99cce380894104a64750dc777daccce129d1

          Download Submit

        • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
          Filesize

          45KB

          MD5

          591ca2703e86a1dbd7aecee94561eafe

          SHA1

          59febde85269ac4df7c4dac507547513b5f1438b

          SHA256

          fbb32b26b39c836eb0afece99a770985dd183b3b259911aa3546599f9a3e7d20

          SHA512

          0cc11897f3915c652d53060b754a9652616d5c4c2b680315cdf8131fa12a2703ed618c8ab16502fa01b7289b44d09f7d7b3f597b8da9b109321a930a942d8925

          Download Submit

        • C:\Users\Admin\AppData\Local\winlogon.exe
          Filesize

          45KB

          MD5

          04c22eb70441dd2c0a2662136d6cd9f8

          SHA1

          ae9212efcfc6135fb6fd588bee304c5186854a57

          SHA256

          816223186f467328e0376d1c3f8023888e0b16358411388ac4c78642fa3b8cce

          SHA512

          228cc38de649ee93adfbd03c593afac6dd7b7403fed4fae8aed2988d25db273d54c4a7395dedbb8c9c972e64a4033269e49d6bff58f6ea1bda36eba192d0d8e9

          Download Submit

        • C:\Windows\SysWOW64\IExplorer.exe
          Filesize

          45KB

          MD5

          cccc78f260b9ff3e655817e9cc5f19fe

          SHA1

          b5e7db802cf418ebd3143d9c536b1bcbb19ad2d3

          SHA256

          32681d2af41e586e18d915c32294b8682b161d2510733eefa8bea0e6ac662625

          SHA512

          653a76147a2a922a22a39701fb025ecb9aa915c40d2487aa7465ff611dd58dc2158f0ee6965d8a2671db5872700afe4a692107a6c43f8816a41a09b84a5011a9

          Download Submit

        • C:\Windows\xk.exe
          Filesize

          45KB

          MD5

          f946a002b5c44c51a84bdee0e2e5ac33

          SHA1

          e3776d2c079f7562ddcf4a6bab7671c8a30cc8be

          SHA256

          2218736c5ae7c86689edbf58675a86bf9670af74ce01e50f0bddde36dead09fd

          SHA512

          9d2f82c8cf99bc1cfa842cef9f7bf10b9f75a18af29687c4e80dd18756f469ec496dc36eed812277fe820632b270fadde036a0b1d5898bab9ddaa9cac9d52416

          Download Submit

        • memory/448-114-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/448-118-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1588-139-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2236-144-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/3536-122-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/3536-124-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/3716-134-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/4404-0-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/4404-152-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/4452-151-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/4964-110-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download