Analysis

  • max time kernel
    134s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 03:34

General

  • Target

    d1ecbea4d739ea6eb1e111d8005e00e9d0749aefcc71aad359e4f8fdf4656a27.exe

  • Size

    91KB

  • MD5

    0a27a1ec7e224eb2b55f88fd8fb7d21b

  • SHA1

    a30845c6d6deecdbd22da346c8ff37a647a051a0

  • SHA256

    d1ecbea4d739ea6eb1e111d8005e00e9d0749aefcc71aad359e4f8fdf4656a27

  • SHA512

    577f02d35304d048ee5151af19849de10583f092b26087838445f28eece69ff34a02d39e21e4ea99b74cd6943dd1ff60e69eb440def17544e4f2e593e1775a9b

  • SSDEEP

    1536:kRsjd3GR2Dxy387Lnouy8VTQRsjd3GR2Dxy387Lnouy8VTY:kOgUXoutNQOgUXoutNY

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UPX dump on OEP (original entry point) 17 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1ecbea4d739ea6eb1e111d8005e00e9d0749aefcc71aad359e4f8fdf4656a27.exe
    "C:\Users\Admin\AppData\Local\Temp\d1ecbea4d739ea6eb1e111d8005e00e9d0749aefcc71aad359e4f8fdf4656a27.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4376
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1004
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2028
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1480
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1064
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:384
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3616
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2020
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4040,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
    1⤵
      PID:2740

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

      Filesize

      91KB

      MD5

      38403ef2c2fdf6f15bd15885c233ee64

      SHA1

      2bb158efe6bf1fba1c0c7945ec5d3ae86ed0329c

      SHA256

      f6748381f40d09908d4c769fdacc940304839efe75566fce7c16b820280639ab

      SHA512

      63738626810571b0912e48d6020c14bf45b86a5fc3649e76dc4d4505e22a7d998ee4253b6e722aa507e82aa1762bd762b50ad21768bb9fdd585d7b2e37536ff4

    • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

      Filesize

      91KB

      MD5

      c613d7730d8ca092db2adee5e41231d5

      SHA1

      34b86339f8b12c403f8040d67d14525a261ef56c

      SHA256

      a95063c1479f309c41e74d58548d4a8a9e921d36f60114d97bc14441ef5e8a92

      SHA512

      cd2246b35de24c5b1f76784e023e537c7cf3ea69387398a4ee8436eb486044e7e5ced8c97a46a13e04698ef2ff3994e825ed5b14a8eb8ad69f77e590255edcde

    • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

      Filesize

      91KB

      MD5

      41c18873e65420283ab0cfd14399831d

      SHA1

      e7c7c0b14af513f743885c05c1f68291673a77e6

      SHA256

      f79c585a99c40810fbca4191fb40f5b93be061e016c15ab674035cc23e7bf6e7

      SHA512

      52289ed6fec4eb27e19c2afda7e7b240888c8b9ee1fb1098fe17597d479a434452de91a8140f9c002a041eba9390692825af51eb003a764fde38fe9236e88a7e

    • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

      Filesize

      91KB

      MD5

      21bb7c05ac6237a55f199a2b2860365e

      SHA1

      6f23409caa7bc741cd0ac0377d44ec0868cd7f7b

      SHA256

      7bb8fc9c7518841e3b88911115797d9fc3c46d66af8695049a9b73a24e76c934

      SHA512

      471595a647cb4987c392a4b914e7db3329ca82796b66aa1f3ede0330d0fa2a2cf2c555d131925ad05e509cb3f254ceaf870346f6fcdba5c449497640304dc91f

    • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

      Filesize

      91KB

      MD5

      3fb69f48f7f30ba33ec204a3326b86da

      SHA1

      5ab8d0afb7df084606a5955e0d6c928271637b93

      SHA256

      c0e5b18a4699eaacf8b818dd87593698ec712b69d88c3727eb944d9cd3ebc3ed

      SHA512

      19c08f67c7e25ccb393f0a47b6250d5693c3cb05d24a1d5fa0cdb97eccf11a31ef388674b73440b191cb7bd80240509083e3eacd45717177349bcc5ac1dbfca7

    • C:\Users\Admin\AppData\Local\winlogon.exe

      Filesize

      91KB

      MD5

      0a27a1ec7e224eb2b55f88fd8fb7d21b

      SHA1

      a30845c6d6deecdbd22da346c8ff37a647a051a0

      SHA256

      d1ecbea4d739ea6eb1e111d8005e00e9d0749aefcc71aad359e4f8fdf4656a27

      SHA512

      577f02d35304d048ee5151af19849de10583f092b26087838445f28eece69ff34a02d39e21e4ea99b74cd6943dd1ff60e69eb440def17544e4f2e593e1775a9b

    • C:\Windows\SysWOW64\IExplorer.exe

      Filesize

      91KB

      MD5

      ae5f9c7207e39c607c0343d0f2717268

      SHA1

      f796a93d92ffe1e0e04a20eb04021e6286ffda3e

      SHA256

      9294326338698480bc6e40d4cb4dcba58a3ce334e976934f69101f833c25db63

      SHA512

      07f0f398164e4b523a81ae9b35b9cfbfa6f893a32881359b79ee092035596dd8b0b74a727e801695a9e182cc4e8b39eebc9a3cb6463667cefbae0ee56ee5eeaa

    • C:\Windows\xk.exe

      Filesize

      91KB

      MD5

      b2c679d3a81d3a775daf150d1829747d

      SHA1

      bfaabb45c8458fdf5d9fc98765d29ce76861e149

      SHA256

      7386e1d48645e50617cc466c5104790e9bb8e2bfe932bfe7894ea8c531147f25

      SHA512

      64aa87dd993c0cf4e1b96a9e100f76c3030d9c412a25f5412470fec6bdfaac6d9de783666ee4ae1b0d3b8910f5c3ee08e3982b4f76bf69742d0b4331b184899d

    • memory/384-139-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1004-113-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1064-135-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/1480-126-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2020-152-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/2028-120-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/3616-145-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4376-0-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

    • memory/4376-153-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB