Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 04:00

General

  • Target

    da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe

  • Size

    91KB

  • MD5

    08eca8d511f841708bda81cc3d9c1d8e

  • SHA1

    d02e9bdd5f24617b7c661f58da29871201b9c794

  • SHA256

    da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1

  • SHA512

    df551185ccfe29e286520fe661c255bff27ad2b7fefb0c566b5d2c23220b3ba5720db157dd80a05aa65cfa19349cfc5a277aa2f0ad8ffce4e6699ccb888a6182

  • SSDEEP

    1536:ERsjdf1aM67v32Z9x5nouy8VTkRsjdf1aM67v32Z9x5nouy8VTU:EOaHv3YpoutNkOaHv3YpoutNU

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UPX dump on OEP (original entry point) 21 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe
    "C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2296
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1224
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2760
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2772
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1020
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1548
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2388
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\services.exe

    Filesize

    91KB

    MD5

    08eca8d511f841708bda81cc3d9c1d8e

    SHA1

    d02e9bdd5f24617b7c661f58da29871201b9c794

    SHA256

    da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1

    SHA512

    df551185ccfe29e286520fe661c255bff27ad2b7fefb0c566b5d2c23220b3ba5720db157dd80a05aa65cfa19349cfc5a277aa2f0ad8ffce4e6699ccb888a6182

  • C:\Windows\xk.exe

    Filesize

    91KB

    MD5

    a6ec707e10234aac22e9d0adff2bc5b4

    SHA1

    73ec514f5fb29e893995fed425a56cdcdb2f9e8d

    SHA256

    a5a7eb4f1aa2b38a335264986e51b68246c18f21cd1edc23eb7d5efbb8e67cfa

    SHA512

    bfc466e2becc05173a5fd46c29a0d33572a2f99ee983c0de7873fa3a1311f87e4f77aa9ad1f38e92fb26b7453da2480e055a2f00282b9e3b714d8c9e0656cce7

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    91KB

    MD5

    9eeb06765d71e5fa1b91b4a09266857d

    SHA1

    c71108b4b5e0bf66e4d15db54cd15650f04cb527

    SHA256

    a86c9e561fb43463a64936d897ac13310b60081ace30798a52dccaf033fcc9aa

    SHA512

    132808c5ab99a02125b48f7927563cbe94ad90f7b67c87cd9781bd1901d1ccb0063f28655b0f5577e7c66f6ac0a86bb68f8008a14d50e0d8f9455d8ed6b12919

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    91KB

    MD5

    2fb55003b024e19582b71453bab08167

    SHA1

    d4fe35c302c31aea8af2215acc9787f682be8791

    SHA256

    cc62de6243b465e250de00db006b5048dd24e379c17c5d27de9a5d73dfee1389

    SHA512

    a75455291293f1795e1be499edf0a878d83a943768f64ccefdc92908567a351af6becfe268d7147a44d6273bd8ca789556fa28ef0424e63a8a5118efcefae808

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    91KB

    MD5

    46c0257d5478d16bae9ef94ca330f3f8

    SHA1

    881ce0bc5b063582848e624d9d6b9b4f13fe39b2

    SHA256

    2ff5d800c5ef63b3e4d8cb5f4ace54ef5e9710d42525e56c953921f7da4dc313

    SHA512

    0fd9017d95d9ca239c2e8d2092b6e9c051855bd80897e33e1cc98b2069fc7878e02c479ddc5783c1cf6630132db4987e14d382c1f7396ff84e89cdb3807320eb

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    91KB

    MD5

    8036a71cbdd84f6e150220afaa168c78

    SHA1

    6f187420d427de99c5fb1f08d67f8acb8366d71f

    SHA256

    bbafefcb9945a98bc102347fedeb7feaee8c645646871a92d59b18091dca242b

    SHA512

    d2cd0f01b5af9f9b59283ba2467964ca24eb458ccdf6f3228b1f33e73487d96f4742ea34ccbd40e90c4f6745639cebfd7e68cb136cbb6ea1378cd5924d417395

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    91KB

    MD5

    d45ff9133ef40756d81c745d64b696c5

    SHA1

    31d56c208903e49b55f56c1e6dc705175b81c166

    SHA256

    0395b22c135b102005e371094da9137c2ae24fde9c9e5afd05a12f66c500c66a

    SHA512

    c9595802e1aea58c9e6def454e8051260d636147ca7d737c783a6c1286cdeafaad9b2e5e16234967b2c78db6bdb1dd80ff3566c96b2e232f314c37eb69ad4c57

  • \Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    3788c0d990c32dbd4c90bcd5b3bf3d6f

    SHA1

    f530d404919daf03e600bc0719e0a269d4481384

    SHA256

    8ffe8bfab1ae0f760fd7c9884138a1285365bb5a959ad2e6c482a7f36bb5a1ef

    SHA512

    2697e3f40cf3e5cfbc8d22f671779fd7055c5fd57ef1109d6b54a5d194d84a8ec9c743a1d78d8e8c8986e3c3bd483001825f89401735309295273752ba4b1344

  • memory/1020-151-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1224-115-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1224-113-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1548-159-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1548-161-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2020-182-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2020-187-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2296-111-0x0000000001D50000-0x0000000001D7F000-memory.dmp

    Filesize

    188KB

  • memory/2296-133-0x0000000001D50000-0x0000000001D7F000-memory.dmp

    Filesize

    188KB

  • memory/2296-164-0x0000000001D50000-0x0000000001D7F000-memory.dmp

    Filesize

    188KB

  • memory/2296-134-0x0000000001D50000-0x0000000001D7F000-memory.dmp

    Filesize

    188KB

  • memory/2296-170-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2296-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2296-112-0x0000000001D50000-0x0000000001D7F000-memory.dmp

    Filesize

    188KB

  • memory/2296-188-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2388-175-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2760-127-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2772-140-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB