Overview

overview

10

Static

static

10

35a70c1d13...cb.exe

windows7-x64

10

35a70c1d13...cb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    14/06/2024, 20:24

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    35a70c1d13fa8d48bcae21652dc6b86b46aad40f5dd0d14d2e336c95477cf0cb.exe

  • Size

    91KB

  • MD5

    0034f2534cdb6f116d879862a841597a

  • SHA1

    20664493043369eab5f6710a081b47be31ff9342

  • SHA256

    35a70c1d13fa8d48bcae21652dc6b86b46aad40f5dd0d14d2e336c95477cf0cb

  • SHA512

    5feb4ace265f7bd43c1552fd4a8f914b0aec84db66e65182b459de94ffcd40b9a888c60e9eda29eacdc61fa49efc17e5277b0a39b26917e020a5add0a6eff870

  • SSDEEP

    1536:zAwEmBZ04faWmtN4nic+6GQAwEmBZ04faWmtN4nic+6GU:zGms4Eton0QGms4Eton0U

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Detects executables built or packed with MPress PE compressor 30 IoCs
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 22 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\35a70c1d13fa8d48bcae21652dc6b86b46aad40f5dd0d14d2e336c95477cf0cb.exe
    "C:\Users\Admin\AppData\Local\Temp\35a70c1d13fa8d48bcae21652dc6b86b46aad40f5dd0d14d2e336c95477cf0cb.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1200
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:668
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:576
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2792
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2832
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2960
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1260
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1940
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3016
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3064
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2380
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:672
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:840
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1636
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1912

Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Event Triggered Execution

        1
        T1546

        Change Default File Association

        1
        T1546.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Event Triggered Execution

        1
        T1546

        Change Default File Association

        1
        T1546.001

        Defense Evasion

        Hide Artifacts

        2
        T1564

        Hidden Files and Directories

        2
        T1564.001

        Modify Registry

        7
        T1112

        Credential Access

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Inhibit System Recovery

        1
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
          Filesize

          240KB

          MD5

          e4ad23f5c2695a880a2d0397d988f0ef

          SHA1

          f27f986e832955f762c1393778f59b502e6d7c1b

          SHA256

          bcdb3ee94181fa505ad0acd31bf4b780c2b0619c7f3a90222500726f71220fe6

          SHA512

          a29258a75ac811149025906e378e78e0625721bcc5742cf8dfabdadbad3a4e1c139d5114c4c56989cc7797f1c7d00141824baa70ec5e1d43e39214ae8b38cff8

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
          Filesize

          1KB

          MD5

          48dd6cae43ce26b992c35799fcd76898

          SHA1

          8e600544df0250da7d634599ce6ee50da11c0355

          SHA256

          7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

          SHA512

          c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

          Download Submit

        • C:\Users\Admin\AppData\Local\winlogon.exe
          Filesize

          91KB

          MD5

          0034f2534cdb6f116d879862a841597a

          SHA1

          20664493043369eab5f6710a081b47be31ff9342

          SHA256

          35a70c1d13fa8d48bcae21652dc6b86b46aad40f5dd0d14d2e336c95477cf0cb

          SHA512

          5feb4ace265f7bd43c1552fd4a8f914b0aec84db66e65182b459de94ffcd40b9a888c60e9eda29eacdc61fa49efc17e5277b0a39b26917e020a5add0a6eff870

          Download Submit

        • C:\Windows\xk.exe
          Filesize

          91KB

          MD5

          59ff8e852b8f534e917847e93add17a7

          SHA1

          77dc5fe1de65ec36aeacdea863a3e4dba85d8f72

          SHA256

          9dbb27c35cc9064f82af7772f48147e07c19e08b505e6b3f99e5a77981602439

          SHA512

          9dc50b18c3cd5fd3b0ed9d88a10d6db9d9c4ff934656946f57523022ff9ec7a5f46bfeb4d9168311ac3c24621e02a13b1e422f6b4684c3dc39f1a36ff545cbb0

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
          Filesize

          91KB

          MD5

          ad127336a626764daff2038bf0e617aa

          SHA1

          196491e8b7146138567c7f64d3027176d95e679e

          SHA256

          165489e530cf3ae807aabdb9ecd7c337c66641610cc153978ee01e938c025dea

          SHA512

          7daef08dcbc5f5e4e18a1ae07dae1815afe2cb421be7faca1e592419dc25c03ee7ad9c249ce56ce6646d0adb34ef08814ba7df20203395c7c762d20facf118eb

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
          Filesize

          91KB

          MD5

          5f761abb638ebcd6655053de1e18bb2b

          SHA1

          2b62e9c49297ed5dfe6d10d41ec439130b2fcffe

          SHA256

          e93066c6131546c6583b9c6ba5d6bb4ea46781c208e17d85619be50430651563

          SHA512

          856239bb4d98e95c3905b661a325cdc18f159e1c4283be551991af8f7385f98269ce0153ca408ba7712893ab0f2dc7075c8fe76cf9ebc719de2a3365536b19f3

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
          Filesize

          91KB

          MD5

          43bf81c5150d239e4c05690a86978d00

          SHA1

          ec775fcaf4e1139b47bd90892683a43b0e455df5

          SHA256

          f2885accebe2c028d703cb8d1a476759aeac68386137797d212e0bec1bdea568

          SHA512

          19e3dd568711218b5051c01aed32de495cc1e3a0649039cab008b5cbf05fdc8ebc8ebf447a623c8611e46716c9c624654e674de3cead7b8fb72f4473c4aaa4f0

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
          Filesize

          91KB

          MD5

          0c37f57d109d8c06a63dc6c6af7127fd

          SHA1

          80423e4603439b0f0ed3ab248052eddb2a8f9320

          SHA256

          96cf2a1d06fdfce4a7909e52fb705e05be2d9692c234853b66afd9e9b8c93d0e

          SHA512

          77b63121bdd4e444bd90fe793d2a6636e0e38aad1f24d5ca5b3a19327ceb2eda1f60c0805decbac6cbc246a8c0c59e4d577caa8c82dc3ec23bb1f02641f910ac

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
          Filesize

          91KB

          MD5

          900fdb70ca2f2aba4a2047f7f9bb4035

          SHA1

          868ea23defaa340b20c13c136339734c89077207

          SHA256

          817f19b539c3dc2582f3774c044f1cba06531e97b89fbfd13dd6a4c6cf20871f

          SHA512

          b9fa1d88acba94f79e4658895c7134f374ec5ba7db62b37b7d06b723a9e5f3081b004cc2e36d084e9fe84e202b629bdba924fc0881a6eb19c7b01e2e0572864b

          Download Submit

        • \Windows\SysWOW64\IExplorer.exe
          Filesize

          91KB

          MD5

          0fbf20d3f72afdf73627074b2c93c522

          SHA1

          79d89f4fdc0b38f22f77ab4de74cad1ed779234d

          SHA256

          1b31afc4acd6876ecbe05e0d268c908bb899441be22ba83cbe69ac750880bd8e

          SHA512

          0e0a0d4c43766c3b9b600acbe752933f90cbfa36cacfd3bd334a1ff160761eebfe2d7a27ac3b7d3398ac8c1f531d97d720348d4c8f96ebb304256ada42457408

          Download Submit

        • memory/576-123-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/576-126-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/668-111-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/668-115-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/840-277-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1200-213-0x00000000023B0000-0x00000000023DE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1200-149-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1200-0-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1200-214-0x00000000023B0000-0x00000000023DE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1200-440-0x00000000023B0000-0x00000000023DE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1200-438-0x00000000023B0000-0x00000000023DE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1200-437-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1200-110-0x00000000023B0000-0x00000000023DE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1200-283-0x00000000023B0000-0x00000000023DE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1200-270-0x00000000023B0000-0x00000000023DE000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1260-180-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1636-287-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1912-312-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1940-226-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1940-216-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2380-253-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2380-250-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2792-136-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2832-146-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2960-160-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/3016-235-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/3064-244-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/3064-240-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download