Overview

overview

10

Static

static

3

43083dfedf...11.exe

windows7-x64

10

43083dfedf...11.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    06/07/2024, 21:05

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    43083dfedfee40cd72b36083009502423f641771f074a9232417fa4b24367a11.exe

  • Size

    45KB

  • MD5

    eb6592201bf317b8586ae53f96a9c292

  • SHA1

    f0113588b592cd7afbd7963c8151a02352b83451

  • SHA256

    43083dfedfee40cd72b36083009502423f641771f074a9232417fa4b24367a11

  • SHA512

    f9ead629d55a3471b8fbe7e750df36666f77b6dddd5cdc22c5578a1227e14c1014d42fa1d1d10bf259b851cd1f0df2ef34988b591d2022634cad4aa455f003da

  • SSDEEP

    768:2mFQj8rM9whcqet8WfYUtT92S21XFXRnnePxCXNvF7DFK+5nEd:8AwEmBj3EXHn4x+9ad

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 20 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\43083dfedfee40cd72b36083009502423f641771f074a9232417fa4b24367a11.exe
    "C:\Users\Admin\AppData\Local\Temp\43083dfedfee40cd72b36083009502423f641771f074a9232417fa4b24367a11.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1908
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1768
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1152
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1076
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1788
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1964
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1688
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1204
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1056
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1020
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1552
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2008
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2060
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:876

Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Event Triggered Execution

        1
        T1546

        Change Default File Association

        1
        T1546.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Event Triggered Execution

        1
        T1546

        Change Default File Association

        1
        T1546.001

        Defense Evasion

        Hide Artifacts

        2
        T1564

        Hidden Files and Directories

        2
        T1564.001

        Modify Registry

        6
        T1112

        Credential Access

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Inhibit System Recovery

        1
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
          Filesize

          235KB

          MD5

          fa33b165d822116b782a648ac9fc5e73

          SHA1

          26b745aaa12bfd6d2ed00f60e24fd43b0a7cc8be

          SHA256

          367d1517eec531deea25095cba25a5056e221b9eacb246728c8d17b537c93150

          SHA512

          88bd069752b6f6991786df4986022a9659dd3f3985a607e5a101330f97266471887703e496baac5de07cf1a9932642461c3a8f49e5651c81bb3e3dcaae74ba4c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
          Filesize

          1KB

          MD5

          48dd6cae43ce26b992c35799fcd76898

          SHA1

          8e600544df0250da7d634599ce6ee50da11c0355

          SHA256

          7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

          SHA512

          c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

          Download Submit

        • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
          Filesize

          45KB

          MD5

          5dfc889007700550864aba05eab968d9

          SHA1

          287045fc5781d5213adde2ab07b3c1ee34d8f144

          SHA256

          b3d77c801a61ba226ad704873e5c575d8f73e7597a6814e4b7960ea52cf119ac

          SHA512

          ab9a955967c85041b2414a030bbcdb996962f1edb2f56e3b07fd0fb838c3e467efe799d87e2cd3d565547529d5838e4967bad27391182b96c92c5a6d5faf2330

          Download Submit

        • C:\Users\Admin\AppData\Local\services.exe
          Filesize

          45KB

          MD5

          eb6592201bf317b8586ae53f96a9c292

          SHA1

          f0113588b592cd7afbd7963c8151a02352b83451

          SHA256

          43083dfedfee40cd72b36083009502423f641771f074a9232417fa4b24367a11

          SHA512

          f9ead629d55a3471b8fbe7e750df36666f77b6dddd5cdc22c5578a1227e14c1014d42fa1d1d10bf259b851cd1f0df2ef34988b591d2022634cad4aa455f003da

          Download Submit

        • C:\Windows\xk.exe
          Filesize

          45KB

          MD5

          f8a067562c854fa20a3adbc15239e552

          SHA1

          2c3201069d989cf44aea9c222ac282c51a9ed02b

          SHA256

          d37b066c0d341699a83a6c23f19320aec1968aae0568998601725e86823a4ba6

          SHA512

          e06bc1846a16f9d468b9368631a1ab560c28092966c2409fb3bdb3963cf0836b3e8a337110d118c6d14926bfc580d19caad9de8808ed513ae6940dfa076357cf

          Download Submit

        • C:\Windows\xk.exe
          Filesize

          45KB

          MD5

          cce62fdbcd320c09a90847a45d847e5d

          SHA1

          f90280b808c79e151e0566b7fec72be1f872d7f7

          SHA256

          d5808257e0937ba7d94a8c33489d7edf8cdd657e47506090c7d845a249511c08

          SHA512

          75f2f9f7fff165d2af1b371f299ae1032cab00653148c50b7603af6f2581bef5dfd8d1aa406566660c60b8a0009b0846bbe64cbb6e2cd5188f5b2f8b0845b21f

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
          Filesize

          45KB

          MD5

          056f129b0b3fbbf4c4c43b12b87daf55

          SHA1

          c87619360c88321c59eff0121df94986b721c6ab

          SHA256

          0a30de517d5dd2ad0d2938003c43557009b22a282355a0ec70dbc83f707bde81

          SHA512

          83f05052903168e7130dbd9e796099d271ceecd317a1a133940278679c64aeee8f31277cb7821b10c2dacfea6e3f86690af08156ad3cfbf49b04289dd7cc6fd4

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
          Filesize

          45KB

          MD5

          c6d2d359a3b220dcfe3020df2be631fb

          SHA1

          03e3fc88f39c0a2c50bec49d85c285df6e79dfe2

          SHA256

          d9a414bb78e68836daf8270498adf5f387a4ff9cb9f63aab7e242db834903222

          SHA512

          cf2ef5604082b7bc553b0446acd044992c50aab91921e3fd5990dca0f499c46a634d775d35cda6f8f1aeaad89219569339cdb2b3274256c065d587c7f52e8ad4

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
          Filesize

          45KB

          MD5

          163be73c67b3f68ff87853ae075dc96a

          SHA1

          de27177cdc883c8ee0b59e2707061bb31c9465ad

          SHA256

          6275d732878aa226c2c51e3cebb1b587609db9bff56438d2ccf73952b7a15f6a

          SHA512

          801deb450b96f86b93c2625c67ec3f389d42c316c26890a2a13499a58556ffb13c8fec2d3fda36edba30bfcb4e43ef79ba7d52a2d77fe6a656ec8201bbe57614

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
          Filesize

          45KB

          MD5

          63e2c3f38a3b0f2b9cfb8c9027f00f61

          SHA1

          859e19d45b1650c7f54472f7969646b0a354f7e6

          SHA256

          16e124641e0e6dca0eb9f2ec2475cd3c6bd24f43ca2343b7927c1e1a41c2c5fa

          SHA512

          a630a16967418e79f4d367d386d3fb68258f76457b1871029ef6e9c65cf1b31faa8e756154e488e84b3da5d275f019e30ed3ce68fd9d18cc6b528ca4bfb9f690

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
          Filesize

          45KB

          MD5

          7d67cd7e9b64a81284635cc8c43634a5

          SHA1

          35d6b2b4b9dc51b94198f92622d7bb32f1cca0d3

          SHA256

          a3306afac4d80daf16557678a7e8fd6ba9d668d15bc97c5bfdf8fb8bdc64e92a

          SHA512

          a34250000bb66c95958f7890d080342815e22304af3d2e50117e370bca847b755e2121dc5c9f92aea7934589368fca2cd713a3138b000884fc7e11a420dbc14f

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
          Filesize

          45KB

          MD5

          05b7cdc729863e9c2531aa029688b8fb

          SHA1

          00cfe7b5f27cec52a9a1e732f294915aedf073ba

          SHA256

          4e44b2b8bd17d88117732337ac112f9b472571527ba0f985ea0bebe8eef2d46a

          SHA512

          43e216376e1cafaef1af2451b93cdd8aeb3864123708a8c777a5425f5a478a4c9b31e908dc2b7f8202dd20addfd506deed9ddd501e2509d14d05adccbdc4a424

          Download Submit

        • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
          Filesize

          45KB

          MD5

          d793a4e67c959c04ab3b502f7d52cc26

          SHA1

          4fb35874830e7c528582553afc64f52e688290d5

          SHA256

          9e4bae63aff33bd4e881d94599a98cd03a592844ccd2f883fe3d651ff116c169

          SHA512

          253b04525393951a5d7af71b8c894567be8a63d9e49a646b87a70125aeaa90114fb1180f79b2a7b107e74ebba7386cb80b944fdf6b5da1ce5f4373067c75a50b

          Download Submit

        • \Windows\SysWOW64\IExplorer.exe
          Filesize

          45KB

          MD5

          2472a2654f095a917c3ab551c7549a73

          SHA1

          63e41dc641ecad6d6b0b3b6deb4d085ba9620ebf

          SHA256

          78b4c33437741147bc0d4b27c5880495c0b14b3b97b0535579556ae348f99de6

          SHA512

          51f5986340cdbf001cc877ec2eb8a4ca5a9e8b8a002565900bc879e1c5b2a8d6174f397dc66c1cd974dd8b00996968f18e80040a61ca4211f057996fe20ff829

          Download Submit

        • \Windows\SysWOW64\IExplorer.exe
          Filesize

          45KB

          MD5

          535713b74db3c252aa9b9ca6a29554bf

          SHA1

          293d69ee3c961682900358e19e538a2943643ee6

          SHA256

          878cf5d02ab2647c3e8f0a9c2c6b97d890da4b4b85c06e3ee9d7f24255adb24c

          SHA512

          4d1f7cc1304fd7bc82b8911573a9235b9e51df0df15c3c6a7afa9357296b850f6943706a233375a3f7a592faf08d370d13ccd2679049350777e1898db215c29e

          Download Submit

        • memory/876-316-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1020-261-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1056-250-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1076-137-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1152-126-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1152-123-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1204-232-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1204-237-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1552-273-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1688-230-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1688-220-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1768-115-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1768-110-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1788-145-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1788-149-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1908-219-0x0000000002700000-0x000000000272E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1908-251-0x0000000002700000-0x000000000272E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1908-122-0x0000000002700000-0x000000000272E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1908-245-0x0000000002700000-0x000000000272E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1908-233-0x0000000002700000-0x000000000272E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1908-218-0x0000000002700000-0x000000000272E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1908-0-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1908-109-0x0000000002700000-0x000000000272E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1908-152-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1908-441-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/1964-163-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2008-281-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2060-291-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

          Download