Overview

overview

10

Static

static

10

a4bddb2f0d...f0.exe

windows7-x64

10

a4bddb2f0d...f0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    07-06-2024 04:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe

  • Size

    45KB

  • MD5

    22904bd5ed107f0892cb4b0d5fe7a45f

  • SHA1

    dcec73652ff1c8d47b313ed00b37af93e9dc6751

  • SHA256

    a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0

  • SHA512

    09dfe38a23a61136d93e4d8dc45def9559f64334ed80cdd03ac8e01435cb21902f2789ad519677668fefe25f37b2c4c727058806cd525f8b7fc6cfe753026d8b

  • SSDEEP

    768:xmFQj8rM9whcqet8Wfxd9Mmnfa+TAOBJgZiPGyilSniJO14ktp7DFK+5nER:zAwEmBZ04faWmtN4nic+6GR

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Detects executables built or packed with MPress PE compressor 23 IoCs
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
    "C:\Users\Admin\AppData\Local\Temp\a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2928
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1932
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2848
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1608
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1956
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1240
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1624
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    45KB

    MD5

    2413ef38df7089a2183f9e8ce58ac711

    SHA1

    87b8d6d67ac8b93f9cf7dc2c01ded56466368d8e

    SHA256

    e8afa2ace522e65b1ba304478263503728521c1a1d9c603c2b04c26ee2c6cbbc

    SHA512

    d74eac0ff7f619b2fa74fbfcdf80c3c8ebe55ef623f4ba6a65c6a95173d0ba55df1b4528e2c0e4f29e62aae0efea639291420edd9e97e915e27ab91d02d32f52

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    45KB

    MD5

    da4c935cb355503c08213451366d9cb4

    SHA1

    a0ab7813ca71012735f634a628c84478bc99e948

    SHA256

    a8f9bb93dcd3c1f95ecdddbc2628fa92e95de5c276fdab197ad68a3ec395d72f

    SHA512

    b57d7a15569f851b8434631ed31a712dcc502b1cc052e57b223a65089f43fa0b88e7fb12a32ef724838ef2519d3aea59ac24c791cefb5edd780d5f5548fe3fe4

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    45KB

    MD5

    8a8ab2ba408fc1b11cb8a86aff39f13a

    SHA1

    1f0bb1f11cea570026e6737e7588d937af6e8119

    SHA256

    ee1dc77e6d863777586464c0a33cc35f4db4826534434fbda436a62f35ab5aaa

    SHA512

    307c238035821e448e716b49da2c0e841de791975514dec820e3e48597c12c196e68e76307894c1e8bb9d28b8900e00d20fb7399f37f830d20b516b29c5346e8

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    45KB

    MD5

    c5614480663cfe888c7dc5192736cfdb

    SHA1

    c6da2ec1cd4ca7d3ad913870d438d29d0f4f1437

    SHA256

    b06bc230f324c5cac0faac2ec857a68a97fdb8be886e9866cf297444c7dd4cdc

    SHA512

    44f335fa44636ea529f032163684110114b5ecf315563a9015cdad324e5ea45f5ab59401c4088ccde245284c7f19e954ae6f57267b384ee2259b48fe2af3d6a7

    Download Submit

  • C:\Users\Admin\AppData\Local\services.exe
    Filesize

    45KB

    MD5

    22904bd5ed107f0892cb4b0d5fe7a45f

    SHA1

    dcec73652ff1c8d47b313ed00b37af93e9dc6751

    SHA256

    a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0

    SHA512

    09dfe38a23a61136d93e4d8dc45def9559f64334ed80cdd03ac8e01435cb21902f2789ad519677668fefe25f37b2c4c727058806cd525f8b7fc6cfe753026d8b

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    45KB

    MD5

    a8dff4787cb6555978a5174de6aaf397

    SHA1

    5f1f4c5573edd65adff1890c7a4a97cf5f1b0df5

    SHA256

    5cac79ffd30a3aeb3f1fd7b84ddd4df48aa7054dd16328bae492ea22874dec17

    SHA512

    cd380fd8695cc47de0a264dd7536e4213e6bed3e3edd151e510034baaacfa72a6befd60ca6aae26a8b5f2a8f04e4e45e58eabd47e7d6e50df8ef8fb9f30f6eea

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    45KB

    MD5

    5ffdfa1a5d4910e34b476bf1dcd9a78c

    SHA1

    39af84240018624a86b5e40a18eef7b45a770952

    SHA256

    4bab48a37e812a3f16e247585ea2c594b809cc06c742e5568d16216ba13c1e6e

    SHA512

    890a94554a812f6761f17a1ae2f396724bc9280128b34e5166d7c0f74a5adcd0102c90d2a23c0ec807d2bb2d453cc4d085ac356e36cca399da93c2374f89d9ec

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    45KB

    MD5

    937777c451527bdecc3e8901dbc8a59b

    SHA1

    c1380fb423cb8894ed3ce63f251494f15f6cc216

    SHA256

    d2c7327d37b79d7ea71e33a6eeeab4d818c58bc1fae16fd4e0f0187ae603ec16

    SHA512

    faa4a948ab0f6067f4e16b99213e9ca188d50d01ef505465a639f8e53edf92f97ac4b6a5f61ae04c3cd99420d4b005b5fe4e382c06ab6da8d346ebc53e99612b

    Download Submit

  • memory/1240-160-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1608-137-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1624-175-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1624-169-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1932-114-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1932-112-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1956-147-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1956-150-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2848-127-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2848-124-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2928-145-0x0000000003220000-0x000000000324E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2928-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2928-168-0x0000000003220000-0x000000000324E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2928-123-0x0000000003220000-0x000000000324E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2928-109-0x0000000003220000-0x000000000324E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2928-146-0x0000000003220000-0x000000000324E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2928-116-0x0000000003220000-0x000000000324E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2928-110-0x0000000003220000-0x000000000324E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2928-185-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3036-181-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3036-186-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download