Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 05:16

General

  • Target

    e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe

  • Size

    232KB

  • MD5

    f717612ad8f03464e96f3a33d67e8c4f

  • SHA1

    3ef4d9b8960f8909446541bde480f1edcd4149a8

  • SHA256

    e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0

  • SHA512

    1ceea7d191284209fc1ef01321139bc1455fa03eb91339ee6d15b419e32542148efa5ce52429a5a91facadd0a9221d108ee7822890b4933d40308ef4b46da378

  • SSDEEP

    3072:k/5F/E7tEf0n+p+tYlpJH7iXQNgggHlxDZiYLK5Wpk0out9rOJKqsout9e:khF4ca+wWJH7igNgjdFKsvoS9MKqsoSU

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UPX dump on OEP (original entry point) 24 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables use of System Restore points 1 TTPs
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe
    "C:\Users\Admin\AppData\Local\Temp\e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4676
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1324
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4860
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3832
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4912
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5048
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1380
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

    Filesize

    232KB

    MD5

    aa3edc8d432ecdb07804101dd635fb58

    SHA1

    4d0e0065dd8798aafd8d8f5808311ddfe4fba01b

    SHA256

    8732739f82fe76757be79687ae15c35926ced9cd63954668d25db854d6638eab

    SHA512

    374e24f2ed31151c4a6884fa59189bee6b0b76dfaaee03219f486ef5cd66966d8d9a7b54a6a52d94602a7969d60807054e1a40915156f4e80f2728e0ffc5f4c6

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

    Filesize

    232KB

    MD5

    4a97ae9b1ae6ac0374f163310216c884

    SHA1

    5f0f64fa8a47cabd0241c139b7841b8b68a53536

    SHA256

    2305a74d0d50c01c848a45b10cdf76804e5ff9f62276cb30a1e4e708eb4437b0

    SHA512

    debbeeeb2c7a61ea87093c374b7bb76f34db328ea6e226764998ec6fd5e11a6b62970553c06f31446c4c32a92727383f7ce9b16159d78585780904cda3c7add4

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

    Filesize

    232KB

    MD5

    36e26394e775481642589c5487c05a70

    SHA1

    f8b86bdc2c0b0ced66d759683d8feb66177a7666

    SHA256

    5c001378263e585bc6ab594e4dba266cc11024e0f896b885f1914cac5d8ab33f

    SHA512

    3088011eec8a95aa286b779dfc036d2a2f261f184727a6fbfbe757a2ce72bd6bd9321f58693f0ba6896354540bf4ce78094307049d8c1d79d986e29a8d8918fd

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

    Filesize

    232KB

    MD5

    4e5d05ce7884144713caf8a6b71f8172

    SHA1

    8c5c54ab839af9836a90fbf0ce3ece96dcf99507

    SHA256

    d67af74f791d33e1075a0889824343875fc928e588ec05192477e994725e15e0

    SHA512

    15f321b781379a84ac262b8a39ec3e1d07f0914e9be90c4b7ba1dea16e748ed18b150023cd867b7f92cfa3a682f70d1cfec749e79ff0cb0e2ef03ec3a1222ad6

  • C:\Users\Admin\AppData\Local\winlogon.exe

    Filesize

    232KB

    MD5

    f717612ad8f03464e96f3a33d67e8c4f

    SHA1

    3ef4d9b8960f8909446541bde480f1edcd4149a8

    SHA256

    e40cc8ec5a0e25706cc6f883356eca10e11186d6350ff55a177c096fe2dd6eb0

    SHA512

    1ceea7d191284209fc1ef01321139bc1455fa03eb91339ee6d15b419e32542148efa5ce52429a5a91facadd0a9221d108ee7822890b4933d40308ef4b46da378

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

    Filesize

    232KB

    MD5

    588639b2a8766babfad680e5ffcb6172

    SHA1

    275faeb320b1648c880528acae23f361ff412ec2

    SHA256

    bb30776607da0dfabfe60a2c72e6251fd0fdcffa549ac9ed6c51832c65520ca8

    SHA512

    98ff2ec0df8d1e35731dcad10f48c9d56b103a42a7cec94dac7b43d92f2d0163fceb2b797a8e66267a02c5bf62be60e26f98ab4e85dd6b17683ae608c797a89f

  • C:\Windows\SysWOW64\IExplorer.exe

    Filesize

    232KB

    MD5

    0ff0fe8c817ac701d82a7445ad893c43

    SHA1

    3ef004f77c99846e33f1492081223fe812bae818

    SHA256

    22d267a1c2d32ee5d4ea1a6b82bce5196d24d405379cb5819c83781c89e81355

    SHA512

    eb3839426c201f194c51a9837705b858cb2f3f95a97643a2563b67b50cae479de4f1b83acca37fd5d9a36a26c6d9e013465352bfe066ef4d31fe76b6a3fd6771

  • C:\Windows\xk.exe

    Filesize

    232KB

    MD5

    96269932020152a796d6b1106d5241e3

    SHA1

    f2020b1ebecf162fae7d38454ad106a3fa84507d

    SHA256

    44ccca80368a81ea7814bfa2a0b6dcf4e234e7027eca023a36af4411dedf281e

    SHA512

    e3fc05e30839924467d0304f4b0a0e3bb32750f4677e0848a794a86954c990788a764342938241d036d5dcba3f0e6041251366a5e6214e318664cc7940b46426

  • memory/1324-107-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/1324-113-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/1380-142-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/1380-148-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/3064-153-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/3064-150-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/3832-126-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/3832-123-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/4676-154-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/4676-0-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/4860-114-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/4860-120-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/4912-133-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/4912-128-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/5048-139-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/5048-137-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB