Analysis

  • max time kernel
    130s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 04:00

General

  • Target

    da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe

  • Size

    91KB

  • MD5

    08eca8d511f841708bda81cc3d9c1d8e

  • SHA1

    d02e9bdd5f24617b7c661f58da29871201b9c794

  • SHA256

    da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1

  • SHA512

    df551185ccfe29e286520fe661c255bff27ad2b7fefb0c566b5d2c23220b3ba5720db157dd80a05aa65cfa19349cfc5a277aa2f0ad8ffce4e6699ccb888a6182

  • SSDEEP

    1536:ERsjdf1aM67v32Z9x5nouy8VTkRsjdf1aM67v32Z9x5nouy8VTU:EOaHv3YpoutNkOaHv3YpoutNU

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UPX dump on OEP (original entry point) 18 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe
    "C:\Users\Admin\AppData\Local\Temp\da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2728
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3332
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2740
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2104
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4384
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3204
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3108
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    91KB

    MD5

    60ec39dc7aa72ff0c223fa8eade22f35

    SHA1

    f572ec5aa0e505fce4e01f72b017bfc0673870c1

    SHA256

    100bc479d954ca39f6d62c223fdfb93ff559c6db137ca6e1991a36744a0382bc

    SHA512

    c6ce0f4a323105134b6113b7e3b129785c73975b6c286a316102f869f105ae8bc6f16264fe84cc9ec518c35c7624f44ba9bb2ca067af19834a744756e0b04b57

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    91KB

    MD5

    09d0b7a2b123b112f747dc27fbf936da

    SHA1

    ae84c14e0b5d6a8771a18c2fcdcef5aaa9dad5da

    SHA256

    d5fa10d2a4d3b15e496f822b67b2ad817caf93d5ad38a9992b890ca464cd01cb

    SHA512

    10684e4c7af9419f981840adfd618adadfff1e05ac45c82d65c64d995e80897e2fea053f3804d5d5e19826527f811c8954ca3e8a60080e533a0929dad7a3de81

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    91KB

    MD5

    c85aca85988cad269ce466526e639d7e

    SHA1

    c3a9659f216646b4f9095a244bb53e2c9392ec3c

    SHA256

    0618e6497f44f3b6a20e925d47e726da3775055cc4b6bbc9497889bb4889cf6f

    SHA512

    53026bc8b0dae955d6fe48ab3cd645d864853a0c762c75106d15d18c6bb593b01367960287189c167610bb60dab3223fd6faa356a85e1300908ccd41381bbe67

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    91KB

    MD5

    6727710871b03c8613e66a270cb37c0e

    SHA1

    e2b4cb80999f4f9bebe79ae8283ba62a8d9a5be8

    SHA256

    3b2170beb9cbfc0353e5098d6f46628cc27f4b2be1fb2d7f14ae1f0c994b9853

    SHA512

    1bb1ff5e505d28c065903708302b7b0f200e25454e68af1a90341beb4284ceeb6dace2392c06adfa22ae3de7462f0cd4f0e721cd25d0ed423a0e3ab4b007a597

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    91KB

    MD5

    ef02a20f0db596617e9596390518d0e4

    SHA1

    e7b93f563a3e1f818d8fc35c83eb48c445f0b4ae

    SHA256

    a89766280c8ea81d6f0fba8955a3e2b6cb2bbc9ea4afb9dd31ab954cbd800d87

    SHA512

    5a733da9424e53b9114912779205e5a0fd78490ee12d3914990706eead0a4e1a372c6bbf43978afe020e20319ee90bfafcf7215726b677e911e4993bb4cb0bb5

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    91KB

    MD5

    08eca8d511f841708bda81cc3d9c1d8e

    SHA1

    d02e9bdd5f24617b7c661f58da29871201b9c794

    SHA256

    da4dff87a92b9af2aafa20a00ca67c8bac4c4e7a5693d851397ad6949f3d36f1

    SHA512

    df551185ccfe29e286520fe661c255bff27ad2b7fefb0c566b5d2c23220b3ba5720db157dd80a05aa65cfa19349cfc5a277aa2f0ad8ffce4e6699ccb888a6182

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    91KB

    MD5

    2fb493a5e4005cff8e879e387c5c4458

    SHA1

    e277b055328741377a2a16d1a63e333d8dcddc8e

    SHA256

    d8919df377acaa5d821c993ac2a2ce55ec47d1e3d728f70bbd1d14a25c1c9df9

    SHA512

    1f1c87054d1c5b087da3229aefd34da6bb29daaf59f4aa91cbb386430abcfd72c4ce4d7f24047b81c4989670ab5d014c7c1d8cfa46cd1a2248da251429f661f4

  • C:\Windows\xk.exe

    Filesize

    91KB

    MD5

    6e1552548c4c929fd5090aafdb0bf0d9

    SHA1

    b88e0eff4fa0707a8337e48aa9b8a80ba7ea4242

    SHA256

    2d0cead97a30a42a09008b66a8e04bda720205924b83c8f3f73bd3ad33cbe64b

    SHA512

    b11766e549b336db7233603e60c5a1691478f6f61f7ded4bafbb3cc65f76106c39a62fb4cea25bef273a6f5e6387af1b66323125b4add1333b54110fa1f0eaa3

  • memory/2104-126-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2292-153-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2292-148-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2728-154-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2728-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2740-120-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3108-146-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3204-137-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/3332-111-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/4384-133-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB