Overview

overview

10

Static

static

10

a4bddb2f0d...f0.exe

windows7-x64

10

a4bddb2f0d...f0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    07/06/2024, 04:36 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe

  • Size

    45KB

  • MD5

    22904bd5ed107f0892cb4b0d5fe7a45f

  • SHA1

    dcec73652ff1c8d47b313ed00b37af93e9dc6751

  • SHA256

    a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0

  • SHA512

    09dfe38a23a61136d93e4d8dc45def9559f64334ed80cdd03ac8e01435cb21902f2789ad519677668fefe25f37b2c4c727058806cd525f8b7fc6cfe753026d8b

  • SSDEEP

    768:xmFQj8rM9whcqet8Wfxd9Mmnfa+TAOBJgZiPGyilSniJO14ktp7DFK+5nER:zAwEmBZ04faWmtN4nic+6GR

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Detects executables built or packed with MPress PE compressor 23 IoCs
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe
    "C:\Users\Admin\AppData\Local\Temp\a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2928
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1932
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2848
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1608
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1956
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1240
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1624
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    45KB

    MD5

    2413ef38df7089a2183f9e8ce58ac711

    SHA1

    87b8d6d67ac8b93f9cf7dc2c01ded56466368d8e

    SHA256

    e8afa2ace522e65b1ba304478263503728521c1a1d9c603c2b04c26ee2c6cbbc

    SHA512

    d74eac0ff7f619b2fa74fbfcdf80c3c8ebe55ef623f4ba6a65c6a95173d0ba55df1b4528e2c0e4f29e62aae0efea639291420edd9e97e915e27ab91d02d32f52

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    45KB

    MD5

    da4c935cb355503c08213451366d9cb4

    SHA1

    a0ab7813ca71012735f634a628c84478bc99e948

    SHA256

    a8f9bb93dcd3c1f95ecdddbc2628fa92e95de5c276fdab197ad68a3ec395d72f

    SHA512

    b57d7a15569f851b8434631ed31a712dcc502b1cc052e57b223a65089f43fa0b88e7fb12a32ef724838ef2519d3aea59ac24c791cefb5edd780d5f5548fe3fe4

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    45KB

    MD5

    8a8ab2ba408fc1b11cb8a86aff39f13a

    SHA1

    1f0bb1f11cea570026e6737e7588d937af6e8119

    SHA256

    ee1dc77e6d863777586464c0a33cc35f4db4826534434fbda436a62f35ab5aaa

    SHA512

    307c238035821e448e716b49da2c0e841de791975514dec820e3e48597c12c196e68e76307894c1e8bb9d28b8900e00d20fb7399f37f830d20b516b29c5346e8

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    45KB

    MD5

    c5614480663cfe888c7dc5192736cfdb

    SHA1

    c6da2ec1cd4ca7d3ad913870d438d29d0f4f1437

    SHA256

    b06bc230f324c5cac0faac2ec857a68a97fdb8be886e9866cf297444c7dd4cdc

    SHA512

    44f335fa44636ea529f032163684110114b5ecf315563a9015cdad324e5ea45f5ab59401c4088ccde245284c7f19e954ae6f57267b384ee2259b48fe2af3d6a7

    Download Submit

  • C:\Users\Admin\AppData\Local\services.exe
    Filesize

    45KB

    MD5

    22904bd5ed107f0892cb4b0d5fe7a45f

    SHA1

    dcec73652ff1c8d47b313ed00b37af93e9dc6751

    SHA256

    a4bddb2f0da1e64182d016c2a199d892e49d9ba1ffba7c8e387a3c45f0f864f0

    SHA512

    09dfe38a23a61136d93e4d8dc45def9559f64334ed80cdd03ac8e01435cb21902f2789ad519677668fefe25f37b2c4c727058806cd525f8b7fc6cfe753026d8b

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    45KB

    MD5

    a8dff4787cb6555978a5174de6aaf397

    SHA1

    5f1f4c5573edd65adff1890c7a4a97cf5f1b0df5

    SHA256

    5cac79ffd30a3aeb3f1fd7b84ddd4df48aa7054dd16328bae492ea22874dec17

    SHA512

    cd380fd8695cc47de0a264dd7536e4213e6bed3e3edd151e510034baaacfa72a6befd60ca6aae26a8b5f2a8f04e4e45e58eabd47e7d6e50df8ef8fb9f30f6eea

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    45KB

    MD5

    5ffdfa1a5d4910e34b476bf1dcd9a78c

    SHA1

    39af84240018624a86b5e40a18eef7b45a770952

    SHA256

    4bab48a37e812a3f16e247585ea2c594b809cc06c742e5568d16216ba13c1e6e

    SHA512

    890a94554a812f6761f17a1ae2f396724bc9280128b34e5166d7c0f74a5adcd0102c90d2a23c0ec807d2bb2d453cc4d085ac356e36cca399da93c2374f89d9ec

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    45KB

    MD5

    937777c451527bdecc3e8901dbc8a59b

    SHA1

    c1380fb423cb8894ed3ce63f251494f15f6cc216

    SHA256

    d2c7327d37b79d7ea71e33a6eeeab4d818c58bc1fae16fd4e0f0187ae603ec16

    SHA512

    faa4a948ab0f6067f4e16b99213e9ca188d50d01ef505465a639f8e53edf92f97ac4b6a5f61ae04c3cd99420d4b005b5fe4e382c06ab6da8d346ebc53e99612b

    Download Submit

  • memory/1240-160-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1608-137-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1624-175-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1624-169-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1932-114-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1932-112-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1956-147-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1956-150-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2848-127-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2848-124-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2928-145-0x0000000003220000-0x000000000324E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2928-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2928-168-0x0000000003220000-0x000000000324E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2928-123-0x0000000003220000-0x000000000324E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2928-109-0x0000000003220000-0x000000000324E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2928-146-0x0000000003220000-0x000000000324E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2928-116-0x0000000003220000-0x000000000324E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2928-110-0x0000000003220000-0x000000000324E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2928-185-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3036-181-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3036-186-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.