Overview

overview

10

Static

static

3

2cdd90e5b6...0N.exe

windows7-x64

10

2cdd90e5b6...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20/08/2024, 04:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2cdd90e5b69dbbad23a43b26356696c0N.exe

  • Size

    325KB

  • MD5

    2cdd90e5b69dbbad23a43b26356696c0

  • SHA1

    27eaf57a25fd34696e6dbb772d9081cbb377252f

  • SHA256

    753133fd1a1fd89dbc8c736105d87dad6ce5a4deb531c054d53f2593b88f3d93

  • SHA512

    1a2203c542d764dabb340960eba74111926985152ec042a6b386d6edc3db40911c7893227b12e818ddbc05d1cf8d6e5ddc95b0ee425a6ac8a4abc5c8e9ba7c0e

  • SSDEEP

    6144:LY+32WWluqvHpVmXWEjFJRWci+WUW20rUU5EYCTvaBju43:EnWwvHpVmXpjJIUW2cUusvalx3

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
    persistence
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops desktop.ini file(s) 28 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 35 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2cdd90e5b69dbbad23a43b26356696c0N.exe
    "C:\Users\Admin\AppData\Local\Temp\2cdd90e5b69dbbad23a43b26356696c0N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\CHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
      "C:\Windows\CHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2680
    • C:\Windows\CHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
      "C:\Windows\CHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2912
    • C:\Windows\CHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
      "C:\Windows\CHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1896
    • C:\Windows\lsass.exe
      "C:\Windows\lsass.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Modifies system executable filetype association
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

5
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\CHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\YEY3E1V.com
    Filesize

    325KB

    MD5

    d995c4fc5fab9e9791642a385a321954

    SHA1

    4994c9d07df55975d5cfd73411e6a59a1c46eaf3

    SHA256

    b3b4fc94277964a64e9c8092cefb45da40a9c31599956c64d4382bdc0b701335

    SHA512

    82423ca43ff29394797742c92255a60c084fdea3406577f6552a19abc5420b9787aaa31d9f6397b141fc1b06693061da93cbd7ea34c2674d024b50687b73ac75

    Download Submit

  • C:\Windows\CHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\YEY3E1V.com
    Filesize

    325KB

    MD5

    e5ca751d07edae2064dcdb415ddb3c99

    SHA1

    4764c0770d8024dae6ed427d4233e44db299e09e

    SHA256

    23666e595533e510b74d5a8c1a9b03e1ce7277cd0a048d150af67d4cb2ab16ce

    SHA512

    781361ea72d62883b66f3866136fe197f25a1ed6cc40ecd1b850edfc57bbacf6a8df3c28a10b60166b687cf6f65a627cfeac07aa855b83fa0ea694d8421b76a5

    Download Submit

  • C:\Windows\CHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\YEY3E1V.com
    Filesize

    325KB

    MD5

    c9785b0ba6da5f04837afad01859532e

    SHA1

    bc1362b3baa1b6c2eb85b96da3104ebb5bde7107

    SHA256

    11876c40a1873a48ef6de1edfca854867f1dd36b337490741df17b51bb63d0ff

    SHA512

    3b16c6786a12b241e643b3a1a6526c248ea4dfe06c8368cb341da6e9896095003c8e4693819301912b1a89946b03d4118a2e58a0806390830ae4dba0a26e9ab5

    Download Submit

  • C:\Windows\CHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd
    Filesize

    325KB

    MD5

    d832564f2a2612ae657f29515127881b

    SHA1

    a360ce918efca507aed29f63867418def85c2b86

    SHA256

    c38b1355c4abb56a3abe9beebae813872fad4d82dbe23664c4e7bc13e85c9c54

    SHA512

    ba7ee1e5bc993e21005af9078ca818d740ff0a3fb22a07ce63c856d633150916dfe6fbec505ba9f1e07292c6f3ecee6bde9b3981e39d4acc4222451e652d5a16

    Download Submit

  • C:\Windows\CHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
    Filesize

    325KB

    MD5

    56c6f6fb138c1e9a83c6299eff70ebb4

    SHA1

    4b1a2bad3f14a4a8ecda10820e6cbe3f9ffdbc29

    SHA256

    93a2002e46addf856fe804d760a10f1f4e08a3ad259a1b6b7127375e0f2827c4

    SHA512

    263e7488a4ebe7a7c007b08d0a888108f1c74529b6c063569aa28f5f98a977ffd7b517237a588acc94b8de29d6d67ecc803af3264477ac9d9457d6ef5685f57c

    Download Submit

  • C:\Windows\CHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
    Filesize

    325KB

    MD5

    fa4d1fad7875fec6b2a535cf2796d72e

    SHA1

    b890817151ad28caedd931277b77384e33dfcd72

    SHA256

    eae73675a3ffa3909517aa19e0f2f3ba52527ca74b8a3959f83f9b48e4c0b04b

    SHA512

    548fe9c0123c7f8ecc562aeaafa875095c46c48f089c7943b78949569befe4c8a259a0d5da0f5ac5a13efc2f91a47b10ca715e325acd767bf6c996f863fdec85

    Download Submit

  • C:\Windows\EGQ3Y5H.exe
    Filesize

    325KB

    MD5

    c1162554364b293ec3830fa7a829781f

    SHA1

    ed953aa8de6296b9d4262a6a7efc1f91bd773862

    SHA256

    b344ddc027c2bd80f08245c724f9c415992095ac19e82361eb6528ee35351a2f

    SHA512

    afef10e7c558ffb1749cd7799f707e26859f2572846392f1339f911485a9a279c937cae3ba4bb2a230700bb51721903c4df4d1fa5ae9d9e5a7a597517262fb65

    Download Submit

  • C:\Windows\EGQ3Y5H.exe
    Filesize

    325KB

    MD5

    0d948f09a03f8443f5e7e05ba5c1a7a9

    SHA1

    d89e2089c176b404d5e625aa855261bfe946be7e

    SHA256

    e6abf8db6c55dc18deee71181b5f5f0a71ad9990145f20319f5c78ca17782146

    SHA512

    66a934411085d197283c1824d416af497baf6507fbb7e671423e839a15cd0c34e773974e4d654cd3874c51ad4521d7d5e6418a2fd29fd5f3bfc66ee6830b877a

    Download Submit

  • C:\Windows\JOX6S6R.exe
    Filesize

    325KB

    MD5

    64935faa9b17dfc65e7c2dda274bd457

    SHA1

    c1b134f614c19da1d08392970d508800a8b627a9

    SHA256

    beea2622aebc0fdd2f741a82d760b320ee665d344e3df3cfd6fbd552ecf2dd99

    SHA512

    c1c1c3807126c02808a0325f857a36c9669c56e631bf8c7780296b70eeaad8e3d5948350033313424dc24cb16f0498bda7c79a46e8845c283adac4547f8d1f50

    Download Submit

  • C:\Windows\SysWOW64\NHG8N4IJOX6S6R.exe
    Filesize

    325KB

    MD5

    f53c00a0cdde3a6b7b70b9ea3f7bab45

    SHA1

    0e073f955f7424f3a94b335d45fcd77f7e75b940

    SHA256

    9676bbafa7bcfc79239b171681a57c3978b90a8b0c71cb0cc8000362396da785

    SHA512

    21ee823f7868191ff73dc429d7cf737242ddf07206c0f8251b5995ba407a09fe997b0e48618c014b181e42525573e167af1b48213092535e99f6ea0546eac190

    Download Submit

  • C:\Windows\SysWOW64\NHG8N4IJOX6S6R.exe
    Filesize

    325KB

    MD5

    ce76f740f66b15be3a5a1b926d869115

    SHA1

    60297c893c56a657679e2052038429b1f6c07d04

    SHA256

    6ea3dd5728f5283f46ee210ab218f862ef6d017480306922e1b8655066a6b5c6

    SHA512

    87c999152d185b7c5dccb39fdded0ddca04c45d2bfe43e5b72fe092857378ffd578bb47124cc68e71bee1444ae9352694de1deea56dcf952d062397115271f4a

    Download Submit

  • C:\Windows\SysWOW64\NHG8N4IJOX6S6R.exe
    Filesize

    325KB

    MD5

    22021b92a425593e5324f7d701b6c774

    SHA1

    0a067595736213cbcf5aaa8f70b51b581fa41ef6

    SHA256

    de64ed01c4d85390a81ab9fd510dcb3c7e10f25aad36f1a65a270fa11cd703fb

    SHA512

    e359c6edf219aecdee1b81af8c2eca6876a1a2cf3c691a3dcde99dce69a9937c77a4c061e44fb57d97cfd4300729be5c77d3fe8b305a402ec2aa7986497e4805

    Download Submit

  • C:\Windows\SysWOW64\TSV3E2O.exe
    Filesize

    325KB

    MD5

    27ca1e419d7e11d9d2d97a1c6888b956

    SHA1

    11e6a9f9f38944ace3d9b64c0fd3f59c5caf3a23

    SHA256

    771dc9415f2852fad796253095e0da1aa169716462bba5840a24d833a39e0bb3

    SHA512

    a5e44e85c01c859b572ea6e3f429f55dedd05a43d2e17551b4d11f373ef8cbae7606bb94ef4d968c94a96c6d98391e78961a628b1b49717852feb2aebe94ffdc

    Download Submit

  • C:\Windows\SysWOW64\TSV3E2O.exe
    Filesize

    325KB

    MD5

    afbd8717b8d2fb96986003a490675099

    SHA1

    66896a433a1b961c69ecb3eba9c955505c005a66

    SHA256

    475e074e2323164ec1cac1280ecfb90edb9d22d5c1491d44d595cc419b7d7dbb

    SHA512

    412de9c3aaac2315b4e7277d48a8f3567841cb52da7ed587c6c4262baff481bd2fb97f504d818c6d83208cc25f182dead519f549fa5199cc70c0cfcffbbcfded

    Download Submit

  • C:\Windows\SysWOW64\systear.dll
    Filesize

    141B

    MD5

    98fa86c186994eb8d774e6f0f6c27a00

    SHA1

    4529e272ccfd2ecaf111c471794ed7246fc1f3c6

    SHA256

    6a661f9afadef7ddab412f18cb09cb5dc8dc344d57ce8ae7cea65d805803361e

    SHA512

    11868ebb34a3d96e40e16eb4d6f5b267a39a2a69f98bb53912a10647d8b64cd053c34a7e6ae2d0fdf303508b031fb2780f1a051e954a6d285d77c6b54f631849

    Download Submit

  • C:\Windows\SysWOW64\systear.dll
    Filesize

    127B

    MD5

    964d78451d49da935833eb64afd865d0

    SHA1

    46a1ea77809c5fd58fcec14e066d95d93001855a

    SHA256

    3ed6d700315c4087191db147753d0a40133ae49f85bdcd267cde44e2d941e044

    SHA512

    819f0afaada79ed300afda86a3378215a1ded4ee22a967f71584e244f32d2a2265f0f6fb5a4523fee714a1d621fa39dabd1766dca312b77dd0e55af12c916f46

    Download Submit

  • C:\Windows\cypreg.dll
    Filesize

    417KB

    MD5

    e9451860cfa19590dcf5765445c4fe6a

    SHA1

    64833587ca65612a92dc069b2a5944e9d75b12c2

    SHA256

    88cd19c8dc10e27a72bc776bf00907ac8670f80d2dda89c155678e581578301a

    SHA512

    bb8da8ae3a7a5cbd392c3d350554b9ad9ec2d53a27fad5d85f181e9ffc8e4c255c2e502046ac757b75b418d36a4faeeb4148361b748284b82ae00e4e8ca918fc

    Download Submit

  • C:\Windows\lsass.exe
    Filesize

    325KB

    MD5

    d1f09577d97c402324133124a720abc5

    SHA1

    ec529922b99e5613849667ced842ece3dd1a99bc

    SHA256

    b67f011e51f45995d3aa119b1678f2b03a53980d9d4861d602a09b25e7ebc256

    SHA512

    d2690feab1a6c4f1f78192ece8b8e3b447ef67e27d4204ee074668449e30eaf0a3175284b94e692642295c4080c1fd990d0dad7127568b81b74a6e71788bec47

    Download Submit

  • C:\Windows\lsass.exe
    Filesize

    325KB

    MD5

    b1f0027eefb445c5030fda1d35f0f2e3

    SHA1

    d06e1a23755f80c5c13b7e2e63857cede8ab77cc

    SHA256

    166adb13d91c8196a65371742e8c9b33dc4229534fbbf436a39a26970a0e0fbc

    SHA512

    04e5b6e38ee31cc5e8c387e6c7aafe66612ecd01bd990615950a1323b0f2858d10244d1884bf40aff0aff8db8806811fd5a06126243cc8c75ac8bba286c5e2f3

    Download Submit

  • C:\Windows\moonlight.dll
    Filesize

    65KB

    MD5

    c55534452c57efa04f4109310f71ccca

    SHA1

    b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

    SHA256

    4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

    SHA512

    ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

    Download Submit

  • C:\Windows\onceinabluemoon.mid
    Filesize

    8KB

    MD5

    0e528d000aad58b255c1cf8fd0bb1089

    SHA1

    2445d2cc0921aea9ae53b8920d048d6537940ec6

    SHA256

    c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

    SHA512

    89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

    Download Submit

  • C:\Windows\system\msvbvm60.dll
    Filesize

    1.3MB

    MD5

    731e4e6eb3ca5e3f9fbd9c2d15f88acd

    SHA1

    a8f3ac38530aaad6ecd5a507dfec22d26f7318f8

    SHA256

    9557659ccd3b1611ef457ec2bb61cd11f26c1b7b904d1e86f063996b681ba34c

    SHA512

    c0cd06fb068dec4eff0de4c8d17e9103c768c7c43807997be34654ca62139a5ade1cfadcf053716dff7d05f2cbc2f650359f5e2b1114e25420f1f65829540530

    Download Submit

  • C:\cool.exe
    Filesize

    325KB

    MD5

    99922297a23d0299f1ced6fdb70531da

    SHA1

    d2259c7600a6ba671921fc07d6dc70ccd9958d43

    SHA256

    c86c1f0d803dc62167ba123943d87e005025141c1a3d13351a4f791de921245c

    SHA512

    af63e023dd6210017b5e594f62d74549e232bdff2c6061736c02cfa5540382962baf8abbc280eafd26844eebd7f48739aa33a4db792802afa93d2fb4dd943f25

    Download Submit

  • \Windows\CHN8O2C.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
    Filesize

    325KB

    MD5

    6ca23acde046c08b790a34623e75fca8

    SHA1

    f99e343bbfd0a6b322e9ff0a389b242085c544b4

    SHA256

    82b114f894354bf4251584b9ad04799555d7d36420d442d5cd46dff136ca4b9a

    SHA512

    b664b4e8e317802be6e8957ac0fac3cd63d522846177ecc8e880fa852d6d8f93b7ef6a669d6369b3c2fba2d2cd3862db52ad14ff9f0ba513ec184cb0c9c309e0

    Download Submit

  • memory/1896-222-0x0000000010000000-0x0000000010075000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1896-214-0x0000000010000000-0x0000000010075000-memory.dmp

    Filesize

    468KB

    Download

  • memory/1896-109-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1896-205-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2312-82-0x00000000034E0000-0x0000000003530000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2312-171-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2312-59-0x00000000034E0000-0x0000000003530000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2312-49-0x00000000034E0000-0x0000000003530000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2312-168-0x0000000003EE0000-0x0000000003F30000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2312-167-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2312-67-0x00000000034E0000-0x0000000003530000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2312-0-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2664-213-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2680-56-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2680-199-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2912-204-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2912-69-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download