Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    14-06-2024 05:16

General

  • Target

    e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe

  • Size

    232KB

  • MD5

    f717612ad8f03464e96f3a33d67e8c4f

  • SHA1

    3ef4d9b8960f8909446541bde480f1edcd4149a8

  • SHA256

    e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0

  • SHA512

    1ceea7d191284209fc1ef01321139bc1455fa03eb91339ee6d15b419e32542148efa5ce52429a5a91facadd0a9221d108ee7822890b4933d40308ef4b46da378

  • SSDEEP

    3072:k/5F/E7tEf0n+p+tYlpJH7iXQNgggHlxDZiYLK5Wpk0out9rOJKqsout9e:khF4ca+wWJH7igNgjdFKsvoS9MKqsoSU

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UPX dump on OEP (original entry point) 26 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • UPX packed file 26 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe
    "C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2372
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2876
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:636
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2692
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1944
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1820
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2228
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1604

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\services.exe

    Filesize

    232KB

    MD5

    f717612ad8f03464e96f3a33d67e8c4f

    SHA1

    3ef4d9b8960f8909446541bde480f1edcd4149a8

    SHA256

    e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0

    SHA512

    1ceea7d191284209fc1ef01321139bc1455fa03eb91339ee6d15b419e32542148efa5ce52429a5a91facadd0a9221d108ee7822890b4933d40308ef4b46da378

  • C:\Windows\xk.exe

    Filesize

    232KB

    MD5

    ffea8ff15b205a943c198e46fe63dd4d

    SHA1

    ef98cf447b84fa8b4b356cd4eeeff7a0fd48172b

    SHA256

    e541702d0d4ce981a5d1888442be4998d62ca8f4837a6e17258fc43f97f2daaf

    SHA512

    1bf993572155172197dcf6665de1e0dc534afaddd190460918809bd8199f0715f809d25905cf0b3f6a43fc45b51d20aab4f396715a8da0d1494c5cc33253c33c

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    232KB

    MD5

    443975720576d9c5c27474c00fe074fe

    SHA1

    67a2e25054b8e03fbfc7c31723eb359fff2bde3e

    SHA256

    6bc35a1770d75c8136a21dd63c01b28b97fe9a99d04eb616021bb7f1f9b8ce74

    SHA512

    1d01d0007b81ab2df8a6d3b4d0a197d7748b466ee2f3eba8880d77e892faf59b152f3fc407b4e040e3a2516e807824303848c44dd03d179d7d8262c0eff304fc

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    232KB

    MD5

    4d98aeea532beb7d14587a10ae9f2f61

    SHA1

    67e8ecb22c3b561ba31901322d4ddea6e44cf567

    SHA256

    135955a821933d794aec595a451eae80355121baac3b26958a60b97cab683464

    SHA512

    312f693cf450d00b4d32da4025da510f19a35fd88c36655abec2cc99700a4eb8a858f58761c93d10e35ea39240f1824485cd1aa98069cf861fec6c8c4302e245

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    232KB

    MD5

    ad591f38d9e9595bae90a502cabd19ae

    SHA1

    0e953f641b8dec2964d4a3ea4454b1eed065b001

    SHA256

    07eb923e70957ec310d8f896c95c7d3d7d972206f8353f8341178cfab2246aec

    SHA512

    820fe9b720460e78d459d896ae72e7fe37d4dfb8466b8141c7b8e620d3bf96a2d1c19adcf4c069e5afe852aec27c6ce454b68d98ad0d15e64c0e9b8817965ae8

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

    Filesize

    232KB

    MD5

    8e97a033098a938463c47ffd227133ce

    SHA1

    7c0b34cec53a71e02953259d91ffabe6dbf7ed90

    SHA256

    ed00a740e3315a96800c2d240c14bc734e077a008800ff49b8e4625a3b912782

    SHA512

    fdc9fbb12c29108b4fab1f54a5cdcaaaad7bbb3393a6990e08ade2102ea62bb84d4728f7cb2f15333d84970eba4cd66c33b9731399f0857933e9849dea3afd39

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    232KB

    MD5

    0f4a62ffb6fed4afaea7cc1c8fde3c1d

    SHA1

    48f812dd7c51385659efbd15fefa1a4f2e60c1d1

    SHA256

    5b0a1d38994ebf90e149494684ddc974b20a006bbb4b30c381e42cde11af15a9

    SHA512

    83532c479b9ad1a3327505267f811194abc57328a917d3fcefe55eb18e0adf7bc55a9401c358ed89d387df7dab7f1d10e9a1544736802b4bcad8b9e3fa0526d8

  • \Windows\SysWOW64\IExplorer.exe

    Filesize

    232KB

    MD5

    46a867e41ec8608553494cab4a9c4382

    SHA1

    d7c4179369802b684a445f1654d04f232fa73bfe

    SHA256

    edba4a832b0b72abdea5098cb6a8e16e7e528e9974d4b3ae8a879d1e3a621abe

    SHA512

    5913cc239cd0c4da13100e00632342bf453da32ae0b83b640d53d4f2a6615f6cba65ae02b10f8b0c36165c6d18fa5ee14da898f79a27ab0020e80f4d4c73583b

  • memory/636-125-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/1604-181-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/1604-178-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/1820-159-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/1944-147-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/2228-170-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/2372-0-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/2372-139-0x0000000000540000-0x0000000000570000-memory.dmp

    Filesize

    192KB

  • memory/2372-116-0x0000000000540000-0x0000000000570000-memory.dmp

    Filesize

    192KB

  • memory/2372-182-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/2372-151-0x0000000000540000-0x0000000000570000-memory.dmp

    Filesize

    192KB

  • memory/2372-150-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/2372-109-0x0000000000540000-0x0000000000570000-memory.dmp

    Filesize

    192KB

  • memory/2372-110-0x0000000000540000-0x0000000000570000-memory.dmp

    Filesize

    192KB

  • memory/2372-163-0x0000000000540000-0x0000000000570000-memory.dmp

    Filesize

    192KB

  • memory/2692-136-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/2692-133-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/2876-114-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/2876-111-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB