Overview

overview

10

Static

static

3

b86806f049...0N.exe

windows7-x64

10

b86806f049...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    110s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 10:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b86806f049f767e729081754e9c66f40N.exe

  • Size

    91KB

  • MD5

    b86806f049f767e729081754e9c66f40

  • SHA1

    74ccd2b455ec4ab92ec4779e3de7ee34308b35ed

  • SHA256

    81c0eba8044668a9ec0bfd99c5085f9244dbf323475cf532a97dd10a7d6e2326

  • SHA512

    0dbb813399cbf74453374cbef4b2501fb410958d8bcb6937d6818ce6e56033502c161a4696b182096d17b83f8af0816153eef13f062f1fcbe93aebee522d5195

  • SSDEEP

    1536:FAwEmBGz1lNNqDaG0PoxhlzmOAwEmBGz1lNNqDaG0Poxhlzm/:FGmUXNQDaG0A8OGmUXNQDaG0A8/

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 14 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b86806f049f767e729081754e9c66f40N.exe
    "C:\Users\Admin\AppData\Local\Temp\b86806f049f767e729081754e9c66f40N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:764
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5016
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2608
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1908
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5012
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2912
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4232
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:916
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4612
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3416
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2508
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3768
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3964
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2240
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    2f5c5bf4b1abac5efd713cce76c5d747

    SHA1

    96ece1b69845b8435af8a493b5f5b62faeabb592

    SHA256

    76156e0c785ebeb2e377e13af1a7049ec332f40894d42d5d5615672669742b86

    SHA512

    d9750f019be245a919a0ea2694fa09d29d16920e1f4fabc1eb6a7219be074274f411e1448a3923397d3ac5c8f729d8b0e57f4fda598661e75c5e486bcce39a10

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    d147d5266bdb08fea8481a9adf894b91

    SHA1

    40bd7b039e64b9f5f9c2cebda25c81f490e3b775

    SHA256

    0dccd6145e385ef8b57435c4fb26560d08907927ceacee19a4f522ded23c89d0

    SHA512

    41f234e814d07d9bc1affa3d653661be727ca07bb0c5e4be938336abee25874dc525643474c36b608e80a822bfdf88d768a4cb528995f64e9af9e0e17ce6bd25

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    e11cf8fa3bb306a5973053676b8469a9

    SHA1

    730a79e5e3633a2de4201787080a4832d310316f

    SHA256

    2d9aba9f9a096bae299885ac30c74cf1c6bd637e6c3cc545ad969dc81f8d3996

    SHA512

    9b7e9f16b3ce0695e39a98ba779ecc937925dfc25f25e37bd63e7eb498dc27586bbc43acaa5c8ec9c274f8a1156fff243d311cbff4620508065ac1e758675eb4

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    0bb8721232098a010584b08121c17f1b

    SHA1

    cc2ba00cfecfbd3ca0b9bcb94b1c230fbd9f46fa

    SHA256

    dd1562a58fa8cc9f0dd5f5275280a46a0d1bbc0afb56f7dd57415209c8da22fa

    SHA512

    d168a93bd99f97cf78ac77617e2aaf6aa4faa8dd069a9bc731b3506b2508fac843719c25541f668678964a2bc6be309456e6baa42340b190caf62ba59ba1f922

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    92e29c086dce0fbbf9aa20e81dfe7c8f

    SHA1

    fa136c4793b8730635af3ee94f14f5a535e2be16

    SHA256

    fcce55ee3d3eca6cf79760161f4590674ec54d629ba0ae0e361708b6b5176a1b

    SHA512

    c5d54cc7b8ecdd0caa81f49896c84d33d00ed724db10afddb721e841c0f22060353043adcb7149860bafb834a655d4c6181e7a90d7892aeea79892ea2777ce14

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    039c4f6fba38f5aaf5242a41a86a5636

    SHA1

    c434af0ccaa0a888560fd3410aa79e0fc4fa3307

    SHA256

    7b27ce06a5b36177fa3309858f31e2faf6f923cec73be26ea54417068ed23be5

    SHA512

    9af60ebe25246ce8462821b95235c793b71fed802bed938e5db1a51d7a6ccb1ad8fa2682a09a50ea9a1fa37e8785165fa17de9ec663b895ad7a595acd5651120

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    fc687178e9dd9dc844dafed20014e257

    SHA1

    0ee5d25ba692e96053aae2831d10b7c1a82a64d8

    SHA256

    3d686ee2352cd0641833ac99347424d45299ae8b1b04a0bd3af2f4c791ab4ad2

    SHA512

    b64b367f26f6ea0353ef357a75dfc045726a3b8722412f2ec836ea9bd3e376f297ad432110c3226784bd768bb543781d76396265f8a87e18639c75b55addbc30

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    476aaa0537918247b2c31a5f24d11803

    SHA1

    c8fa277152e045dcd6eabe664e7c44fbec11137d

    SHA256

    18a5eeb798fc4275e64765bead2005d043b9698f07be44bfe0d2f9fad0d8448a

    SHA512

    61359d8fae88518018eaaf6556d724a1e774f82dcf4dbbc960e22e5318eec3a43b9dfb5b730cf29f6868be690e0116de8f932b1f0445893d1e526d013073ea55

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    3cb69133a3d642e20dbb70a756dcf6d9

    SHA1

    490e0d183748309441a159cbca1a87a4c73f6669

    SHA256

    205ca9205ac6483612916928df76aa5f517c9e61e8f04ec2b48c24339a0c8c05

    SHA512

    cc95c4e8673cfef34c10095aec40e6c6230eaeff00c1aa252b7a61e879a5229334330d09e6696389b038d2c9ef46ff874f0db7f572b47766937e6980ff2c3ad4

    Download Submit

  • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    92ee17a8b15b289ba163c1c7c3203549

    SHA1

    d84a4455f5dd9e3884b71d955bc5cd4e3de78d12

    SHA256

    d3a23dc09d3ceaa67701a5ca950e6f14316cd7179435de026a2b83290f269c7a

    SHA512

    d9e16badaf9e6a929f113386453f2f805ab8d47670f2a4c924d30d9fcbb41d1ed1016bd788022afca9c55aa94d699990c442ed197d674b20edf04ff7bb9f988e

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    43573e4b7471ba8ea078cb7cfd0f2d25

    SHA1

    1bbf15ac5f00895730b1f360c66a751db81d7c9c

    SHA256

    e500309e2540b0e3eab075ca030ac480b7d226b154fc365b5cdb1345071dc9c1

    SHA512

    62ac940b27ac7b7b31f59644ee370e39bb38f18620233d3a23ef437d0cf2664ea4025411b366cf02d8bf9daa8b2306a6d441cbeb8698520aa55d6fdec8cf4164

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    e7e66c86dd4742df94612286ba250bd7

    SHA1

    639d158dce91833877a4a61464e98fc189544424

    SHA256

    27b43a53e1f651ad7281957496541e5aeecdd0d0f1360df2b0ff419caba33ba3

    SHA512

    01700185589bdd2b0f544af55b61db7e96a3346b155333989fedd10e0addb88a90d126662ba25aa8e20f18b423ad358c2e340237cec699ddfa7aa2f1aa14f788

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    b86806f049f767e729081754e9c66f40

    SHA1

    74ccd2b455ec4ab92ec4779e3de7ee34308b35ed

    SHA256

    81c0eba8044668a9ec0bfd99c5085f9244dbf323475cf532a97dd10a7d6e2326

    SHA512

    0dbb813399cbf74453374cbef4b2501fb410958d8bcb6937d6818ce6e56033502c161a4696b182096d17b83f8af0816153eef13f062f1fcbe93aebee522d5195

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    89030e8fa48f2d2978422ce2fbb9a9c1

    SHA1

    c579c1419d26c2444e6620ab976aeccb710cccd5

    SHA256

    f9a5e421817696b1c7c042d8be20cfca68d23918a4b795d50feb56a2f325ca47

    SHA512

    e1494c6c44f30dfc67d19d7cdce72fa34d74e8414b231cfcc85e02ac557fba8a54b6810123dda87a1805d7098814e7a9e8ad1dfc0a39d8df5eabfe212f4ba973

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    8d04781832abe4d6f44edaff949822bf

    SHA1

    2422cfcfbd598e3a74f1497dfa63074f8c337539

    SHA256

    4323992d7aa80098e97ac05b9c55bb9610e5309e191d5cef726e9fae38c6f218

    SHA512

    9da5dcacd99d8fb3a7e40d1e267d454da29c25b22f8b0d1bf0e48642953c2c15bb666c125da479f136946772e281cb503283666d3422e76a45b51f0ebeebb151

    Download Submit

  • C:\XK\Folder.htt
    Filesize

    640B

    MD5

    5d142e7978321fde49abd9a068b64d97

    SHA1

    70020fcf7f3d6dafb6c8cd7a55395196a487bef4

    SHA256

    fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

    SHA512

    2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

    Download Submit

  • C:\desktop.ini
    Filesize

    217B

    MD5

    c00d8433fe598abff197e690231531e0

    SHA1

    4f6b87a4327ff5343e9e87275d505b9f145a7e42

    SHA256

    52fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e

    SHA512

    a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1

    Download Submit

  • memory/764-294-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/764-119-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/764-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/764-276-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/916-93-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1908-66-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1908-63-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2240-290-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2508-245-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2608-59-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2912-79-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3416-239-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3768-256-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3964-285-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4232-86-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4612-233-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5004-293-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5012-72-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5016-55-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download