Overview

overview

10

Static

static

3

9bd4db6cc4...e3.exe

windows7-x64

10

9bd4db6cc4...e3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-06-2024 15:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9bd4db6cc43cc311a51f293dafb616106f5358ae3e004acfc688ba049e565be3.exe

  • Size

    164KB

  • MD5

    5b577001d11ce2d1e5d7d6e5ada3c643

  • SHA1

    e1a298d6422eef3810dc285f52d9a40a9d0e18ac

  • SHA256

    9bd4db6cc43cc311a51f293dafb616106f5358ae3e004acfc688ba049e565be3

  • SHA512

    fc564a41a9b5e9d5b764a9edc7f0ab37a6bbeb0677f0db2958c8d7ab59efdf99a8e104d512d2714b00afbef15cf98247b42c7e3eda74a7891fac20e35f860956

  • SSDEEP

    3072:Ax/zF/ulxEf0++protYf3soixGNdQQVlxDZiYWuw1WKt:AxLFQcP+hoyEoi4Ndxd4uwI

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\9bd4db6cc43cc311a51f293dafb616106f5358ae3e004acfc688ba049e565be3.exe
    "C:\Users\Admin\AppData\Local\Temp\9bd4db6cc43cc311a51f293dafb616106f5358ae3e004acfc688ba049e565be3.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4616
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1884
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4828
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2196
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4060
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1776
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1992
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    164KB

    MD5

    b808421ac4f6843aa41c5a1b6c849c11

    SHA1

    15540d51f54486db8b68315707d5e3995cb132e4

    SHA256

    13bf3209332eeca3a8b638e1febfe06939ffe36a3e870bc6fee0ae0fb3766236

    SHA512

    1a7d46fe85fe123f22401ff9ec04b7ee468a9329fa1942ba7e877fea1d3f40e71ed80ec78446b54afcedf173797c6f6710b673b7ab4c2e10a44487db1bbf857a

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    164KB

    MD5

    5b577001d11ce2d1e5d7d6e5ada3c643

    SHA1

    e1a298d6422eef3810dc285f52d9a40a9d0e18ac

    SHA256

    9bd4db6cc43cc311a51f293dafb616106f5358ae3e004acfc688ba049e565be3

    SHA512

    fc564a41a9b5e9d5b764a9edc7f0ab37a6bbeb0677f0db2958c8d7ab59efdf99a8e104d512d2714b00afbef15cf98247b42c7e3eda74a7891fac20e35f860956

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    Filesize

    164KB

    MD5

    d3c733cabe3cab88204373bcfe2370c3

    SHA1

    73f94569b6e16d1474b42b8adf536f2391cba6d9

    SHA256

    90a8c429a3d6b1a9a064a18543c1655278a74955b2235358366dcd75448dd10a

    SHA512

    a32e624dac5082d077db08b7a956d993090144b224cb29acd790df66d97bdc8e04b37858c8f3dfc361cdd39fad542c53c514967584ae864f2b0db20778b3695c

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    Filesize

    164KB

    MD5

    b4fdbb87ab56fd2e6002d764c01c6a78

    SHA1

    5aa449372a1cc082adcbedd0326041a574e18d52

    SHA256

    5919a04dc408738b07fba7e1481bcafae4c0d0acd11efec819b1c5be5518dcd3

    SHA512

    5e7daa574797567338abb04611af6314d248862a6bd88386097aa6456224c60cea63fac5bd7cde1d37929a6b9044ee265a06b3b2a9e13589fd57bb1520296692

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    Filesize

    164KB

    MD5

    49b63c7938c3c58c3e4b70d0036e11ac

    SHA1

    3708d7db4f58871421c8b3c3491a7664cf0e1282

    SHA256

    cca2a125097e33ac10faccba42e3708fe559e218f7e95dd7c7fffc106e394fec

    SHA512

    2831752102c600a808e436c3f6a2aaf1dec12e3fbb8b9b953a8c4ecf403fd912e09e195b57b8440110a08567e4674c6bda3b3f368f55d8e24e68d1a73993b019

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    164KB

    MD5

    4c63181630b46f3a32e85e3f010afdb4

    SHA1

    bfc98485dfb97b7dc5f4732fa72112d3b38e79c5

    SHA256

    9b72a5fedc138a63ab7b66bb44dbbf0b228c897c2d0ffa5430749463540eb5a9

    SHA512

    964025da26fa45256dc4f1757a779e9abb1618b97e18835312c4091b8b492fc60255d4939745ecefdc7030db6947210d5f9426a221fb48d1c3d460aeb144ba9c

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    164KB

    MD5

    e432160544341290213b9c99697eaaa4

    SHA1

    2d92e57a05ccf7f8789e2503d1d045f0949507b2

    SHA256

    41c8e9ff87fa96ad30aa6bdc8607df0f4f73c25c5a01ff71ac94fa1c81d76de8

    SHA512

    71585367abb906a91c2d53f7d1076e55ae184d3b0fe76157a04a39afff42793d494d517fcf0c436b2821d7be7344a1512d8db8f8def31573a2d5b840c9fdec67

    Download Submit