Overview

overview

10

Static

static

3

0aae17f904...57.exe

windows7-x64

10

0aae17f904...57.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/07/2024, 18:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0aae17f904f37bc3468b763e08f07485b04b7615411ce2e11edf051c7160a757.exe

  • Size

    45KB

  • MD5

    e106d74df51ca0d93000eacc0e1d6152

  • SHA1

    acf25becde3383c6e947bcb868bfbf9e03541d4d

  • SHA256

    0aae17f904f37bc3468b763e08f07485b04b7615411ce2e11edf051c7160a757

  • SHA512

    91c6e98d82d64779e570361fcb2ce226f4c1e970f2fc6b4ee9ae3e33caedf886db24774814c9a2c417dbf9387429691db45cdd35fa75b52810ae689f8fe5bdec

  • SSDEEP

    768:PmFQj8rM9whcqet8WfuzHVHFNNqDaG0XjqGoxhz/8szBnP7DFK+5nE3E9:FAwEmBGz1lNNqDaG0Poxhlzm3E9

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0aae17f904f37bc3468b763e08f07485b04b7615411ce2e11edf051c7160a757.exe
    "C:\Users\Admin\AppData\Local\Temp\0aae17f904f37bc3468b763e08f07485b04b7615411ce2e11edf051c7160a757.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4796
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2024
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1640
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4828
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3208
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:992
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1984
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1216

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
          Filesize

          45KB

          MD5

          560b4e6e99a1893f4a4c8796a29d102e

          SHA1

          05bce341989d6bb34be7a2acaae4c996182164c7

          SHA256

          490f9ac6a54e103275b9210d8c555ac31797877a5a906f426b7abf187b60a26d

          SHA512

          9b3806c0408678ee368c8c426ceda6e6b1d35caaccaa24c4021e014d050e4d318a94e4d20917a0824ceca6261f082d076cea6d672aafe96b5947b80e8bc61110

          Download Submit

        • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
          Filesize

          45KB

          MD5

          73a3fc84945cb2fa9fc0ad3920300278

          SHA1

          21e168bf8585db9577565af7923bb5e807cb7f1a

          SHA256

          5c67d147b453d91e460e03918ce8c1ca8c3b80fa969dc95c9022b9b3edfe9abd

          SHA512

          ab2f3b8c451088731872048c071f051f413a2bac2d1e97e095939261339452d6fd26ff6fd5b9e17e9015aa024ba5eafd6394d5e723302d95a4b0896142851a7c

          Download Submit

        • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
          Filesize

          45KB

          MD5

          0868f1a58dd9714fb1c63e524bcabf83

          SHA1

          cc9675a79f1eb38b79fe080a23f3155c7bb6630d

          SHA256

          9b609f719afe26f9377c14a1ab7de5a4015baee9b58bcfd7506c4eb8edd070ef

          SHA512

          f3bf1d2e759bbe499dff6a09b6320de6307d9de3fcd9278d70195fa4805c90570cee3a786923b6f17fabbaba10357b2e352a51b9912c8c18692aacd95fba4221

          Download Submit

        • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
          Filesize

          45KB

          MD5

          89db2f25bb7c4044d397d52821294d7d

          SHA1

          3e90f174bbbcd88eaa3dcc984eae9e082637bcae

          SHA256

          43a3492ad0dbea0eda433a4912c9717ad0654f23886e03e135fed567e46ca8b2

          SHA512

          c2f36b6dd9191edfe22308dcab7bb1ca2c920f27dc3bd0b274e3126f950c6d1ed5d4c121a4388c794fd029f85b9db08884253aa74b7b50d76cbee367b04d6e32

          Download Submit

        • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
          Filesize

          45KB

          MD5

          3b0e1155236cdacefa93bf4e97a7d789

          SHA1

          d522ffbbe6251bd3124a7ffb95719d4a60818847

          SHA256

          434decc454ef194f54e4331cf5f7730bb5903ac76d843f83ba960e497537bb6f

          SHA512

          78eb0ad215c82994fc4ee5ad90151f6c8b4e90e79684d2d9858cf8454329cd89bd49ab88ac47879fc36623674f2f38e3ca9b164c422dd81005d69e555667c2cb

          Download Submit

        • C:\Users\Admin\AppData\Local\winlogon.exe
          Filesize

          45KB

          MD5

          e106d74df51ca0d93000eacc0e1d6152

          SHA1

          acf25becde3383c6e947bcb868bfbf9e03541d4d

          SHA256

          0aae17f904f37bc3468b763e08f07485b04b7615411ce2e11edf051c7160a757

          SHA512

          91c6e98d82d64779e570361fcb2ce226f4c1e970f2fc6b4ee9ae3e33caedf886db24774814c9a2c417dbf9387429691db45cdd35fa75b52810ae689f8fe5bdec

          Download Submit

        • C:\Windows\SysWOW64\IExplorer.exe
          Filesize

          45KB

          MD5

          d84c81c3b2afe2fc2b3b2678f7066a47

          SHA1

          ca798350e57c6f5c549a2172c65786a1229a3f4a

          SHA256

          48eefe7ccf3097ecea54195a3d9f4afc8a4de498650d12d7ff5b5b1dab0f5ea0

          SHA512

          469dc486d41c441730a1277dc2f802763f336da12ece5cc4451e7977613b96a93f7a1cabaeb7b30a0c97a39fb14392f19b2222f21cf79ce73554a05e4bfd0538

          Download Submit

        • C:\Windows\xk.exe
          Filesize

          45KB

          MD5

          aad01dd2caebeed19bc05e28363551d5

          SHA1

          ff151420bff149062fd22bb06b76da764a4325f3

          SHA256

          19af5dc03ad9e9e5326bc945e1dfb58e1d10b8bad6852c54b372e9889165ef66

          SHA512

          500e0e7f9c247219f5172006e1bf12064f5eb88f6cb7f4229fa7e4724bf05cbeca7af61a9c44cf445ad0c46c135ce5f360a6646b323ea3045797106561ccad77

          Download Submit

        • memory/992-136-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/992-140-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1216-155-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1216-151-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1640-114-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1640-118-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1984-150-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2024-110-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/3208-133-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/4796-0-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/4796-156-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/4828-126-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download