Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 03:34

General

  • Target

    d1ecbea4d739ea6eb1e111d8005e00e9d0749aefcc71aad359e4f8fdf4656a27.exe

  • Size

    91KB

  • MD5

    0a27a1ec7e224eb2b55f88fd8fb7d21b

  • SHA1

    a30845c6d6deecdbd22da346c8ff37a647a051a0

  • SHA256

    d1ecbea4d739ea6eb1e111d8005e00e9d0749aefcc71aad359e4f8fdf4656a27

  • SHA512

    577f02d35304d048ee5151af19849de10583f092b26087838445f28eece69ff34a02d39e21e4ea99b74cd6943dd1ff60e69eb440def17544e4f2e593e1775a9b

  • SSDEEP

    1536:kRsjd3GR2Dxy387Lnouy8VTQRsjd3GR2Dxy387Lnouy8VTY:kOgUXoutNQOgUXoutNY

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UPX dump on OEP (original entry point) 22 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1ecbea4d739ea6eb1e111d8005e00e9d0749aefcc71aad359e4f8fdf4656a27.exe
    "C:\Users\Admin\AppData\Local\Temp\d1ecbea4d739ea6eb1e111d8005e00e9d0749aefcc71aad359e4f8fdf4656a27.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1908
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2392
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2736
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2308
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1792
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1476
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1548
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\services.exe

    Filesize

    91KB

    MD5

    0a27a1ec7e224eb2b55f88fd8fb7d21b

    SHA1

    a30845c6d6deecdbd22da346c8ff37a647a051a0

    SHA256

    d1ecbea4d739ea6eb1e111d8005e00e9d0749aefcc71aad359e4f8fdf4656a27

    SHA512

    577f02d35304d048ee5151af19849de10583f092b26087838445f28eece69ff34a02d39e21e4ea99b74cd6943dd1ff60e69eb440def17544e4f2e593e1775a9b

  • C:\Windows\xk.exe

    Filesize

    91KB

    MD5

    dd19fa12ae34aef8096125db8e9f154c

    SHA1

    e85ec4d3665a00a0eb29b486c8e446f9054e8d06

    SHA256

    d8724e2c6d1a4daa98b4be533c3c46b7950491de3a37934d7eb0b17eb171582b

    SHA512

    153e8c514be7a0abab020198b3c884dcafccbac6f636feac8fa445ae57b2250b65558b756939ffac0597d3840011ae80073e2ecac6ba92da26eec4e962ac5f00

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    91KB

    MD5

    8f8d6ec68c419cc81c3064a685252bef

    SHA1

    347f2e8796d6a79f20969a4bd717072fb9c8f215

    SHA256

    efd698479fcec46d453ef2232b8cb631ceff2e760a1fbe3f80b9db71b851aaa4

    SHA512

    246502640266e6bb693e5328bb3da0e11e27d0231b5e41032ba0b364407b3276ba0a4ef650b618aab5fe58e3c856a3f221e417a79bfe9fee347ce5ed601b4ff7

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    91KB

    MD5

    9d2000882a74466a8f83262b54abab16

    SHA1

    b42b1fcde78165005e23854bc7496257dcf224a2

    SHA256

    c45e5ad576353872cab3b04f386fcaa115c66c9546754172dd9b57401b19d0fc

    SHA512

    c9a051c7b86fe60ad58f6ae26f1ffff1f5957fff70c200e041d1c66e3e932b4bdc5dd09ab238051efaf9979c91a4d70130050d74e3baa00b553afc9cdb95a81d

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    91KB

    MD5

    0109d5f9baf97418aaa3eeed7d224c21

    SHA1

    4f7f522f9610bfa1b05cea5823b9b1cc6d572cd4

    SHA256

    f771760c2eaaf572eeba1c3afee8dd167aabd8b6961d970e2cfdeb2574e5b013

    SHA512

    b646764ea357dd9a11e06e2e8fad3c540973f303ed7ed7fa5d6da23c554f75a7aa68dff8744d8f47a780f1682f5a23a701436f1bf891abcc80c3218af21ed7d8

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    91KB

    MD5

    cc74ffbde20be1eec92a4a8978599a1a

    SHA1

    38988651d651cf85b580204ceceb378c47386f99

    SHA256

    d58d0f5f9a2dbb8e5f8fcf3dddc8e0ca3c6f5f21d4fe9feef9fecdca98e022b1

    SHA512

    681b0f99c77078d6340085482a334df84669f655559e9a4b6389ceb3caf126f7a62bf6766f52ac199acba15e5958fc53c528242f87844b3ee51031fe28d18ea9

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    91KB

    MD5

    43fcb8be6280f75e6a55c16d5757f8af

    SHA1

    f01d91af4581546cea1a254cb6025abafa61d0b5

    SHA256

    2cdd170d22efbe715fc777833923151b4e450a8750e3c80b29a3db7fdf16c67e

    SHA512

    2947f9446ab84f4ac0355a7a8eabe0f92dcc7942890414ca6768a16b79efcb190276fd19a62141effd1117e1228474513eec5fc8a79e2defcb76ba9f4e48aab4

  • \Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    314a8a61994a7469bc7cc614791c4bd8

    SHA1

    7f8a7c4e156a47adf5a5d5d7c1afb4c9b3b6dcc5

    SHA256

    47ec58014730036192c9cbbc3956bd8a270f02db512df9788efe94dad1ebab47

    SHA512

    ebd63c3255e6ac8d6c79f8aac4707c5fb3f58743b5071b2c6a326d5ff6a1edf48ac362573a196ce7cdb7737f38dca5083c85a59fba080ab11f6f0ded63803003

  • memory/1412-184-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1476-161-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1548-179-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1792-147-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1792-150-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1908-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1908-186-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1908-181-0x0000000002420000-0x000000000244F000-memory.dmp

    Filesize

    188KB

  • memory/1908-146-0x0000000002420000-0x000000000244F000-memory.dmp

    Filesize

    188KB

  • memory/1908-112-0x0000000002420000-0x000000000244F000-memory.dmp

    Filesize

    188KB

  • memory/1908-158-0x0000000002420000-0x000000000244F000-memory.dmp

    Filesize

    188KB

  • memory/1908-123-0x0000000002420000-0x000000000244F000-memory.dmp

    Filesize

    188KB

  • memory/1908-105-0x0000000002420000-0x000000000244F000-memory.dmp

    Filesize

    188KB

  • memory/1908-168-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2308-136-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2308-138-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2392-115-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2392-113-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2736-126-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB