Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 03:42

General

  • Target

    d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe

  • Size

    45KB

  • MD5

    3209d84fe824dc59308dccab0c1d4b8b

  • SHA1

    edd0bef48665580a2a0b191fc9698251942ffd7b

  • SHA256

    d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3

  • SHA512

    6d8247ee6ea118cbf9da3d1a6cb801220fbc2104a8bdfd882f738aa469835ae9539a68be7d7144aa8bb2be172683558c62424de0af635fef911898fe01dfc196

  • SSDEEP

    768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nEjB:8AwEmBj3EXHn4x+9ajB

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Detects executables built or packed with MPress PE compressor 25 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe
    "C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1644
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2736
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2748
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2448
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1864
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:108
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2696
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    45KB

    MD5

    34b3c2156fa2c53f6ed928883a484810

    SHA1

    1ad23ed469d893dfe6ecd913cc4818a68833cf80

    SHA256

    11e5489f0f864d33c3d769ee0e372b67659ccf2bc571b3f0777a6a8904df2be8

    SHA512

    8fd8f0bb2871f28c512fea8b3c1319911b7057ee55bc57252f6d53bb98254f4287150027d2a576c850c3d48ed41e247a233beb5bc085be0d7d6283297435ee42

  • C:\Users\Admin\AppData\Local\services.exe

    Filesize

    45KB

    MD5

    3209d84fe824dc59308dccab0c1d4b8b

    SHA1

    edd0bef48665580a2a0b191fc9698251942ffd7b

    SHA256

    d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3

    SHA512

    6d8247ee6ea118cbf9da3d1a6cb801220fbc2104a8bdfd882f738aa469835ae9539a68be7d7144aa8bb2be172683558c62424de0af635fef911898fe01dfc196

  • C:\Windows\xk.exe

    Filesize

    45KB

    MD5

    5d7eb078c58a359c13ce1329b3f2aba2

    SHA1

    cc44a8a62746ab51845638f22e94fec8a48ba1f3

    SHA256

    a4000ab61427f703291dddf1f5dfecf62ec60b4f7810f158f2770a3c2a0341fb

    SHA512

    5a67d3be08bd9a48f81b8c6372b3484ba80bd36ee2c938d4d31fce1682274fda496e7f87c6a71373c80cea6de1c2b92f249fe9918eea13c93c36cf8f329925fe

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    45KB

    MD5

    7f7708c65eca10624d42deafa2884147

    SHA1

    6c2494b2812993ff4bd824947aba77f4965f94fc

    SHA256

    8b4451274efc4cf28ea4ce434b7ec745e5cac4a7d0e8410e91417b84c02fd64a

    SHA512

    2ce8d991a0b144a8cd96f8f6de74916250bab42aa0829f05630926c0106be036cd4dc9b729540d45a05ac80690cfb958323d557997b5018543b070efa2583f35

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    45KB

    MD5

    5aad6c8455194a793f855b9daf81582c

    SHA1

    93c71b5adfc9c9aec99304f0523870a106382faa

    SHA256

    3049c5fe4c79b2d52e65af8c440d68a44b6896e30d7facac04d6ea2d393732ea

    SHA512

    403ee3560e56c54360b3cf4cf3ca401d1360b8d06ef165b59325c2aa6cc099fb08bed18f41f3107f0868aa2796362b88c84e30c9f88328134167cbaaa78ff743

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    45KB

    MD5

    228b006b3967354ea94afce222ccd2f0

    SHA1

    f453b261577a4f730b621f7a32cd9b0f6b36f5bd

    SHA256

    f4fbe5b9a52a6d9e27c102802a2134a08d0340ac8b7b94ec5f716234bbad55de

    SHA512

    d76dd8b70ece96a9f922fd45a44ae5dd31bc4e3cca057d937fb91dd848b3c3f4a6004b4bd033c488104f192dc67e67358601e7e497114ab49af4d455b0e629d3

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    45KB

    MD5

    4bb16a0ad0b452c6b178960f3eb0906c

    SHA1

    ab4a7a520cfc1d6a07f059786fa15709c151790a

    SHA256

    6441a3c9fe91ba1257eab6fa0328023155b153bb3d587b1023a67079ca12a519

    SHA512

    f70650c3e3b87f64fd3e17481f7e6dcb6352cf679bbdc2001bd5d28831081a940559d7c9d28c21bb9a64df683339f8d22bc9bdf8c9375a18dbf397eec6674968

  • \Windows\SysWOW64\IExplorer.exe

    Filesize

    45KB

    MD5

    07649a598e6174feae2e9eb8460f3c48

    SHA1

    26fbeef5047ca1bf4d94e1bef0f7ec08f253b27e

    SHA256

    a928d09d25486b619e416f201089e4091e88741bf10fba60e4e7990236cdc90a

    SHA512

    66c5fd6bcbbf8ea95c68fb3bd964524ee52b928362607b35fc630fdd8c638a890a68a3d60a6327afcf51dfdebf0edfee6e1872bf2ce05b185b4586db9a79257c

  • memory/108-164-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/108-162-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/628-188-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1644-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1644-138-0x00000000031E0000-0x000000000320E000-memory.dmp

    Filesize

    184KB

  • memory/1644-137-0x00000000031E0000-0x000000000320E000-memory.dmp

    Filesize

    184KB

  • memory/1644-122-0x00000000031E0000-0x000000000320E000-memory.dmp

    Filesize

    184KB

  • memory/1644-189-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1644-111-0x00000000031E0000-0x000000000320E000-memory.dmp

    Filesize

    184KB

  • memory/1644-160-0x00000000031E0000-0x000000000320E000-memory.dmp

    Filesize

    184KB

  • memory/1644-182-0x00000000031E0000-0x000000000320E000-memory.dmp

    Filesize

    184KB

  • memory/1644-181-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1864-151-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2448-140-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2448-139-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2448-190-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2696-174-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2736-115-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2736-112-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2748-133-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2748-123-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB