Overview

overview

10

Static

static

10

d14cd4a561...55.exe

windows7-x64

10

d14cd4a561...55.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    12/06/2024, 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d14cd4a561f3106efbdf75a1ef327aa977c50bf1e8baf5992b1c97e87a037e55.exe

  • Size

    91KB

  • MD5

    30397d077599889f455ca4f0e81df7e4

  • SHA1

    12cb5f48a9d3df7f1bb6f576ad5ae9a902dfbd41

  • SHA256

    d14cd4a561f3106efbdf75a1ef327aa977c50bf1e8baf5992b1c97e87a037e55

  • SHA512

    f0a3caa49f0397495d3f40d77894037b587db7948432631ab497c900ddd10f47fdc4f75778c94f6f262c756bebfecbee8f5f4a1d5c3724b62bbd7abe18804f30

  • SSDEEP

    1536:FAwEmBGz1lNNqDaG0Poxhlzmx6AwEmBGz1lNNqDaG0PoxhlzmY:FGmUXNQDaG0A8x6GmUXNQDaG0A8Y

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Detects executables built or packed with MPress PE compressor 24 IoCs
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d14cd4a561f3106efbdf75a1ef327aa977c50bf1e8baf5992b1c97e87a037e55.exe
    "C:\Users\Admin\AppData\Local\Temp\d14cd4a561f3106efbdf75a1ef327aa977c50bf1e8baf5992b1c97e87a037e55.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2468
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2404
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2700
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3012
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2260
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2144
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1612
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    55016b689725727baad59c9ebd2942c3

    SHA1

    1253c38db1b96573b13f1e91b1a79c9e80fe4f26

    SHA256

    b67f51190ddd21379d135bd9e90313735b7bed0e14190467dd49038ef685956a

    SHA512

    3846ac3961f37affc4c1e7d5e5b90d094c9194834822af1d8282099357ed53a5eab71945b89656d46601228cee24f90776da3d3bf6e26ecf4a46ad9932a80331

    Download Submit

  • C:\Users\Admin\AppData\Local\services.exe
    Filesize

    91KB

    MD5

    30397d077599889f455ca4f0e81df7e4

    SHA1

    12cb5f48a9d3df7f1bb6f576ad5ae9a902dfbd41

    SHA256

    d14cd4a561f3106efbdf75a1ef327aa977c50bf1e8baf5992b1c97e87a037e55

    SHA512

    f0a3caa49f0397495d3f40d77894037b587db7948432631ab497c900ddd10f47fdc4f75778c94f6f262c756bebfecbee8f5f4a1d5c3724b62bbd7abe18804f30

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    c16cb5f27fa95584068a83a41ac9890f

    SHA1

    6cac4c6ed47b4bc6e4d8569128b978d69b3e566c

    SHA256

    49a46d631b8a928359d6f57b57cd3231928dfeffab72465e33df01ab08ccddc8

    SHA512

    497fbc4d3faca25ecc6e61b5f468b48498f3817d51172783e282e2ebd2f3413c62c968bc65d428f5f7d2de1cc0955b2fe78b9d2376101ff716655b23380a1831

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    35ee534743a89b87b97f07e760ba7891

    SHA1

    95edfe929647d6cc969dc25e80851eaf20e965ec

    SHA256

    60862ef4af37a9aa5ceb3e65173da51ca6c1aaabd057fa6bbaffc0d1c9b1da98

    SHA512

    2789de809c682269353c75ad94e3495b611f379d9465cbf9695ac2541f80122609c00837c89b898e687e82127f96f9a3bfb56d0955950bff9b639434a5190f20

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    1f92a1e5828784d7dc2e92345b557a92

    SHA1

    c11ba2ed34cd0ac880c274000a9d8c92e7220c82

    SHA256

    1036bdef46f9554fb4d4cf2d87158f6c6662f1632ab9ddb9cca4c7b83d41d158

    SHA512

    99e17990e336fe9cf0e61c1d574b72067e1ff69bacde380f7773c7f4d85ae96a830afd4cfca4d6f0603bdf9b62a99e736a1d8def8fa7bad2eb957dc39325ca22

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    3614acbd7678457fd5b926756d6ed4f9

    SHA1

    625006bfd490065c6b24499c125bf4bc787e0c15

    SHA256

    1df80abb112876450f369a1680492ad99da1356a098bdeabfccebccfe94863d3

    SHA512

    4a283806120dc26fc3616a61ea49b10dcff412a7673c31cb284db7d70d94e5125902ecdf523248b8e7479409e4270dbaaa2492da9bd559b05e7a143c6d3233f9

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    f7f28f2fde6f48ed649ea52306951e67

    SHA1

    25805d6bf1cbe58f4d86404d8a61a22547bce2b0

    SHA256

    a1142e4702e58922c12132fc5cf4ef7f2d3dd6fc0bb3bd4dab0ac9a0a7d64780

    SHA512

    785880c4d3b8cb37f5344049f6231d57fbc127ac2d7c8e3dee6aa442e7f0d790b255edacd56ab6434875d70d512bcaae08d9d39f8f52b7836955f4a10122b64e

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    a6d7b01d328f7667a0d38d48cf26b734

    SHA1

    e8bc7068ca2098f93e8b1838a2fe13aadffcd408

    SHA256

    198068e59894be377610834b12dd4a80fb0ba930b721655d7d43db8db06bb856

    SHA512

    73e68aed7cb7e4ddb4d221b101a14b59e55dba4a90f3acb58c64493011b181cccd7153246b1cb446f9ef27b2d233a8f6905cea2e775adf65c0513998fd4a35ca

    Download Submit

  • memory/1612-173-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2144-162-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2144-160-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2260-150-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2404-111-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2404-116-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2468-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2468-117-0x0000000002590000-0x00000000025BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2468-110-0x0000000002590000-0x00000000025BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2468-170-0x0000000002590000-0x00000000025BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2468-109-0x0000000002590000-0x00000000025BE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2468-181-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2468-188-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2700-128-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2700-124-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2772-182-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2772-187-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3012-140-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3012-136-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download