Overview

overview

10

Static

static

7

4198a5a515...0N.exe

windows7-x64

10

4198a5a515...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    24/07/2024, 03:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4198a5a515d9a1a35a04fac9b05d77c0N.exe

  • Size

    91KB

  • MD5

    4198a5a515d9a1a35a04fac9b05d77c0

  • SHA1

    c53c2370944447c37c4efb6df3a1597410e44835

  • SHA256

    5bc197699e3178aaa6ecb8e69d95417475bcd13305d50011f944a25170c251e9

  • SHA512

    58d52b219f51312d933c06455dbed6482144a99e710eacf0ad9b2412767b8e9aa88ec7a06ad0a3b71ceb6bad4d3902a80fbe019f6ae9339143ea5da2cb58cdca

  • SSDEEP

    1536:XRsjdLaslqdBXvTUL0Hnouy8Vj1RsjdLaslqdBXvTUL0Hnouy8Vje:XOJKqsout91OJKqsout9e

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 20 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4198a5a515d9a1a35a04fac9b05d77c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\4198a5a515d9a1a35a04fac9b05d77c0N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2884
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2324
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:332
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2024
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2672
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2560
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2200
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2284
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2516
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2128
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2512
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1772
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1684
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
    Filesize

    1KB

    MD5

    48dd6cae43ce26b992c35799fcd76898

    SHA1

    8e600544df0250da7d634599ce6ee50da11c0355

    SHA256

    7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

    SHA512

    c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

    Download Submit

  • C:\Users\Admin\AppData\Local\services.exe
    Filesize

    91KB

    MD5

    4198a5a515d9a1a35a04fac9b05d77c0

    SHA1

    c53c2370944447c37c4efb6df3a1597410e44835

    SHA256

    5bc197699e3178aaa6ecb8e69d95417475bcd13305d50011f944a25170c251e9

    SHA512

    58d52b219f51312d933c06455dbed6482144a99e710eacf0ad9b2412767b8e9aa88ec7a06ad0a3b71ceb6bad4d3902a80fbe019f6ae9339143ea5da2cb58cdca

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    c8d0e6c463d4464e794fd2f78fb78692

    SHA1

    a791c07d72ddcc659e44414deb0e323ca36bae51

    SHA256

    688feae64c1ab5e5c94c34238125994a797e6f62a3095825c810900cd7f8daa3

    SHA512

    45bc8d933801f179533de81896cafe46e0cf5076f6d0f5f577ebc48b3dba03f9d3cc2f35a4dffc381bdd03d63227d5ef66ac9dc831f0ed132b5e75adb91de936

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    a29c08f40ad1768f6355731c6e938067

    SHA1

    aad9d743ad5c23c44a4b5d003138801c7470899c

    SHA256

    7a4e3fc436156a8c5087524e165f638e182dd22253003d7315a5d606f98376e0

    SHA512

    edca26063d7ea418e6beb5f69a753dd4b5b3de5ec82e2c748465f6bd5037fc7c783d5e0cf1dd98c8035f4a65c433405efc7321207f97848865dcece0bc3c09bd

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    1c0bf8e3981da3fb7745c8077577d30a

    SHA1

    e4ad5b2c7a8309323aefaa7dd40f756a5c4a7b71

    SHA256

    9bc0397df0fcf89442d2a15c8b581aede19c78d154e601cf3e8e9416dd281344

    SHA512

    6f7f818f7baeaed69bb2759abe4c20ccb01891c8e2f4edfb01c7c1cbf211d2645d849740afae08ecbcc9164192ca055e27d513faf83e2c36f01ab27c9a79211e

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    9f73da11ea51ad107b81614cf708ba0e

    SHA1

    3110b6ae186770edc00b6147f51a69a82a8d87af

    SHA256

    d1026b2837d0fb7597cfabc392f65933ba23028288fce73f4318e18df0121628

    SHA512

    8c2e50de89733f712e50ea7f5ffb379621d26e2acb1071a5361ff3a8261e91a3d18ea7cb85f4dd51aa84f7bd67fab83a7fec9e99b034795ac41211f01ce8bdb6

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    b09d05d6fb6aa8b09936fa25658807bd

    SHA1

    7cb7b13b7f016158eecb5f794d2e2fcf69a43cd0

    SHA256

    6b92403cf0282fe67a6e4b823cc66e6530bbe9846be27dd48874c0501e63c3de

    SHA512

    3c351b7148bd91119eb566709e69469698ca7386ba7c0fcb29ea8f0ee1b23be88ef383257f99c76a08f20024a40f7713c4011fade1df00cb9c030866de626c5f

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    8bd7532a1b7dd0f9f0bae318d1707d31

    SHA1

    79f94842856eed9bc815e2adcc49180694c91d3f

    SHA256

    d71dd86cec10d45dd4e04c865dec605beff62ca33ecf4a1cb9912406c2197cac

    SHA512

    3259a192df74a98c493125336d598ad3394bf0101f22e92ab2d83ad6e67804553e6590d3be7f5e7cfe73c8408b7bedad8081a5f052881955fc8b953a51fa6a0e

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    a6accb724733a9b8bfca421bfd04345a

    SHA1

    1fade6638218e1f55a3512aefc18e81c3ff0fea0

    SHA256

    9c85ee72fd3f437c68cb4564cede8cbc4a266456aff8b4a7a5cc4a98a8bede87

    SHA512

    1d48695901f0efa9a5f3fe62efde3cb31d1979d1a046498ee636736f1e2058cd58e7551af6d54933cb8b36911599d50d6e6e5dc32cd55fb96b78575ce4ba6370

    Download Submit

  • memory/332-126-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1684-286-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1772-275-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2024-139-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2100-311-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2128-255-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2200-225-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2284-233-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2284-226-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2324-113-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2512-264-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2516-244-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2560-162-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2560-182-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2672-152-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2672-148-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-147-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-133-0x0000000000540000-0x000000000056F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-213-0x0000000000540000-0x000000000056F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-161-0x0000000000540000-0x000000000056F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-160-0x0000000000540000-0x000000000056F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-260-0x0000000000540000-0x000000000056F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-227-0x0000000000540000-0x000000000056F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-214-0x0000000000540000-0x000000000056F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-283-0x0000000000540000-0x000000000056F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-134-0x0000000000540000-0x000000000056F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-121-0x0000000000540000-0x000000000056F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-122-0x0000000000540000-0x000000000056F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-108-0x0000000000540000-0x000000000056F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-110-0x0000000000540000-0x000000000056F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-436-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2884-437-0x0000000000540000-0x000000000056F000-memory.dmp

    Filesize

    188KB

    Download