Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 03:42

General

  • Target

    d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe

  • Size

    45KB

  • MD5

    3209d84fe824dc59308dccab0c1d4b8b

  • SHA1

    edd0bef48665580a2a0b191fc9698251942ffd7b

  • SHA256

    d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3

  • SHA512

    6d8247ee6ea118cbf9da3d1a6cb801220fbc2104a8bdfd882f738aa469835ae9539a68be7d7144aa8bb2be172683558c62424de0af635fef911898fe01dfc196

  • SSDEEP

    768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nEjB:8AwEmBj3EXHn4x+9ajB

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • Detects executables built or packed with MPress PE compressor 19 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe
    "C:\Users\Admin\AppData\Local\Temp\d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4996
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1864
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1152
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3344
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3980
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2732
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4152
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    45KB

    MD5

    a99cf2380760f64395d8d50af3eb74ac

    SHA1

    caf868cf0ea989f60ac3f9ff43e903ca1f1b573a

    SHA256

    5068500d6f4c21a763661bb6b261724ff4b4734f317b83ae26d8a06994421d18

    SHA512

    fa788b73c31ab1497cef34c95f89eb467061f98b332bc362682505bccaad0e11ba79741ffe1c0c6d82e862a7dd7b54b412f38cbfa9eed1de0e721203c964b3bf

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    45KB

    MD5

    d0266de7aa7a59ad5fac537a03fb0b2d

    SHA1

    19ace44788b1c539a35a1ca67a7e84c6e7619f0e

    SHA256

    0846103d1871c680f6991e3ceae81722e9a8118f3e9c928c4b5c82c69e17993d

    SHA512

    a4adead5a5f8de14d1af21811760a46693538885ffec2fd79088d32b58dad8b136c48db22fc7f84d8852c1df8c390d25fd5b0a605e5e0f3e3b1e2086394b027b

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    45KB

    MD5

    4585aa8e1b975a3484619aa381356e55

    SHA1

    6cd68da54126a3fcaaeec9413dc0a2f6a78d9300

    SHA256

    eff415841b1c455df8841668c394c3dc6df9c5accc6747eeedde62c805596b5d

    SHA512

    52b20bef44c85e71d0804d87340ef40e12963f459904918ea3979b1410cf69fc2709d8540c7a88c5ac93628bc56f726dec01dfac55a820e1de411e842781ee09

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    45KB

    MD5

    a0765d117a1f75da8f78727e8a4fe0c3

    SHA1

    71739fcf50c6dab3ac49f13c68c6834f83a7d883

    SHA256

    9ff6a08b5db95a888c80185ae6fcce07f195c274e9fabdba7b8724f4e0107ccf

    SHA512

    a934e0619a5232100e30646f35dbc8aea537b7724800bd7fb172bc6891b3b5b0e085b2f43a508366a003d974634ce17ea48c92dd8f180125060e309078346160

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    45KB

    MD5

    3209d84fe824dc59308dccab0c1d4b8b

    SHA1

    edd0bef48665580a2a0b191fc9698251942ffd7b

    SHA256

    d4b36890765e965fc755ba1e8a5ac417a5f836c5f583bade52d4011f2f9807d3

    SHA512

    6d8247ee6ea118cbf9da3d1a6cb801220fbc2104a8bdfd882f738aa469835ae9539a68be7d7144aa8bb2be172683558c62424de0af635fef911898fe01dfc196

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

    Filesize

    45KB

    MD5

    ae2443e2601cdf19ad28b48894db6e60

    SHA1

    a20fff013ae34596adcbca6c3f302f9465c1640a

    SHA256

    478aa9b9afe28d67b2eafabd97a8fa5a3ade67177994223fe6b05080052bb389

    SHA512

    ac7b75c5352301ec1eaa1aa4f3599202f6850f0e502a0206d67ecdfbbd72e9b6c9ab216e75e757493264bf1d409e1006b285ac2e0b5e05e03049ea3bf1d1b3b0

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    45KB

    MD5

    657ae0b046b6d26d86cd1b95c195f1b4

    SHA1

    60442987f20eac765d6d652e914405e674657052

    SHA256

    654d0ea5e56618763ff3a1826fb0ae02197fc74ec94844f2698f4dee566ad8c2

    SHA512

    dccc4ae101f2aeb1211dc3738a27230f35eb3df17fdb28aae4076f99536faddda27a7d388f506b5f81138b69d043edf8536b39723e3a1d95b9e81ef86e5a0093

  • C:\Windows\xk.exe

    Filesize

    45KB

    MD5

    09d9658628c7f0738f072a53d38c886c

    SHA1

    6a0debf5c04d2d0b68c1d9297b6b4c432ebe7a59

    SHA256

    fea1416b8aecd97c4401a17a5529d9351197e3847390efb837b74f2ce76fdf0d

    SHA512

    3f81bec3c9787b03eb66ea8a718eb51f2d02ed55587a20d14688d4cf7a2e4cf5823da3fdfa247c60ef654d463a0146584d331cf5fc94bfeabd3f32720780a08c

  • memory/804-153-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1152-120-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1152-116-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1864-112-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1864-108-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2732-140-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/3344-127-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/3980-133-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/4152-146-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/4996-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/4996-155-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB