Overview

overview

10

Static

static

10

d14cd4a561...55.exe

windows7-x64

10

d14cd4a561...55.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/06/2024, 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d14cd4a561f3106efbdf75a1ef327aa977c50bf1e8baf5992b1c97e87a037e55.exe

  • Size

    91KB

  • MD5

    30397d077599889f455ca4f0e81df7e4

  • SHA1

    12cb5f48a9d3df7f1bb6f576ad5ae9a902dfbd41

  • SHA256

    d14cd4a561f3106efbdf75a1ef327aa977c50bf1e8baf5992b1c97e87a037e55

  • SHA512

    f0a3caa49f0397495d3f40d77894037b587db7948432631ab497c900ddd10f47fdc4f75778c94f6f262c756bebfecbee8f5f4a1d5c3724b62bbd7abe18804f30

  • SSDEEP

    1536:FAwEmBGz1lNNqDaG0Poxhlzmx6AwEmBGz1lNNqDaG0PoxhlzmY:FGmUXNQDaG0A8x6GmUXNQDaG0A8Y

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Detects executables built or packed with MPress PE compressor 19 IoCs
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d14cd4a561f3106efbdf75a1ef327aa977c50bf1e8baf5992b1c97e87a037e55.exe
    "C:\Users\Admin\AppData\Local\Temp\d14cd4a561f3106efbdf75a1ef327aa977c50bf1e8baf5992b1c97e87a037e55.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2020
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4280
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5108
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3036
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1988
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2984
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2712
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    a2ed1939b66ca47269777979ae590d8b

    SHA1

    4a1720e273c3d556a6ecaf7a23f684dfa0e1cf2d

    SHA256

    d55bca3ecc35697e95f145bca53b8a551cb8cb8f5707aa4a36104494b0e51681

    SHA512

    cf797435569c65385d10736739535914307283b4d82a286e1b26bccbccbc72229ce01105d2500574f12cbf3856543dd13c4a05c44c6af6f663d19199cf4ee60a

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    1f23bdc89eb7c519e2f69aab7df28747

    SHA1

    73c0b59622b3cf3bdba8cb15e1185dd0757e6505

    SHA256

    a3d17a085ff2d02742b2b820479317cdc00e536069d3d1c773d5e49c9a1fb079

    SHA512

    868fa221bf9ad95054d2a7fac4e7404e8031dcc915ef1081b713bade101adfb7bbacb88c36f7a7895d98466e5577b50122b12f294914216702cab945564a52e9

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    50a9d4e94a5ba56d4401b9aa167f147f

    SHA1

    4d7feea46067ef2ebe37361c7f50d67450994ab7

    SHA256

    1c15d0e5fb6b16769fbee1065bc24b9bf78b399e663e6b019285de0a25c138fd

    SHA512

    2ca99ad96f65ed32cae215ec0fdde89a315affb4ba01a0264eef0a5fddd010f43a00cab2bb2604d505b27f079550ad6ed37178cd5c46cb2e359d3a4dcd42aa4a

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    560da5a345aaf596f94b6e182b683692

    SHA1

    2a6f2ee749bcc68bd89001bc6bf9bf0e3847842f

    SHA256

    1c9a72f08fac1d7c773592fddbdb035a042348bc853f7cecce1e35f2e785580a

    SHA512

    11635b0709a2fc4141ebd078035e39adcf03a9cee0c5fdcddb8b8bdfd10012cc8c6847f28c3ab9e130c3802d94ecc629f5ed93d78a9562929cfbc32beb0b211b

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    274c3be9df0144e6e2d70be33e45efac

    SHA1

    168cb1c82176d6cafcfdee5efdf16189500cdc0a

    SHA256

    633cb7ea7e696582b93960276e9b4bf2688712f84767d95c4c916b62a48c4604

    SHA512

    c385c45d35fed8f03103cc20c5f28afc12232edb8eac1d0ace1ded7875119a1ca10018b52e2aa27d411cafe510ddf0997aaf7cba7fb45a74476eec25159ba7bc

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    30397d077599889f455ca4f0e81df7e4

    SHA1

    12cb5f48a9d3df7f1bb6f576ad5ae9a902dfbd41

    SHA256

    d14cd4a561f3106efbdf75a1ef327aa977c50bf1e8baf5992b1c97e87a037e55

    SHA512

    f0a3caa49f0397495d3f40d77894037b587db7948432631ab497c900ddd10f47fdc4f75778c94f6f262c756bebfecbee8f5f4a1d5c3724b62bbd7abe18804f30

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    8968fbe200aec8cb7fc311704b512f1c

    SHA1

    91ba7883c018e48c68e42e177241fb0749d301b4

    SHA256

    c6b7e688737fe9b0f336eb1214515d07cef0734eddc55e327930d5966f1c118d

    SHA512

    fd0906780ffa61b1526c0c25459deeecf4c01bd860616d458b2aacbc6e417138d4ab2c0fb90cefa8e5ac701a103c3de37b26b5c62b873ac1119aa248cfc90902

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    2eea642dc5a87dd210df0a84d5b2ef6d

    SHA1

    9f7bb6ccb719b5a99d740bf3248fc92240bafe0b

    SHA256

    f23946508d2ed5eb6851a0125580aea400ad39ec11d09e676fa5d3ae74f75512

    SHA512

    2a07a85bd7fdb822bd0956331223702d45f1eeb1d34fb59986d8d37b7eb7bafd2855435f97a4dc440ce63583f7708a96ace6be0f29b62cfd41aa7700e5b2b1ce

    Download Submit

  • memory/1988-134-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2020-155-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2020-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2712-148-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2984-143-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3036-127-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4280-114-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4280-108-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4716-154-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5108-122-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5108-116-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download