Overview

overview

10

Static

static

3

d4f4db261d...0N.exe

windows7-x64

10

d4f4db261d...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    20-08-2024 16:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4f4db261d84899b506a43bb9cf60690N.exe

  • Size

    91KB

  • MD5

    d4f4db261d84899b506a43bb9cf60690

  • SHA1

    05a27fcdcf81499a2ef3407855a10473e38eb9b4

  • SHA256

    078793cb90b9be28fe41edf7865ff57216b791f6996f64142dfdcf7faed43ddc

  • SHA512

    8aabb5aa2e5eba8cc2c755c7e5cff41a0dd6c863223e1889a6aa82a4c4b7fdcc2487301a1bd7961590f0cd6d92488267a0a64d6e4ee12152ce2c3517776a1c0f

  • SSDEEP

    768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3Imun3gRYjXbUeHORIC4Z2:uT3OA3+KQsxfS46T3OA3+KQsxfS4q

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 24 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4f4db261d84899b506a43bb9cf60690N.exe
    "C:\Users\Admin\AppData\Local\Temp\d4f4db261d84899b506a43bb9cf60690N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2756
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1848
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2788
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2916
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2964
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:844
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1276
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:484
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1636
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:948
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2060
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1656
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1608
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1748
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2116
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
    Filesize

    230KB

    MD5

    464799025664d50e0ed22d8576a196aa

    SHA1

    5bedfd95d75b27cea364f9d9691b3f65ffa2e0da

    SHA256

    62d559b40b7d2d0607b9e3717e52960f64fc9beccf102b51088e35028c5782e9

    SHA512

    8fab94d43b8e8e2ea7ae12c072686f16cbc4f080fb7a9a63505aa6969cf50302529f1da1f6823ed7b203bb0478033dd85725d2dd8063283a0cd4abf754d29ad5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
    Filesize

    240KB

    MD5

    e2d5dedb1889d3f46422c29c6314e89b

    SHA1

    947f96f5c7707fe45ab86169a59de419cddea082

    SHA256

    93f36d7cdb0da9f7a02c41f38d9ec5e5673c6a492034a2e6c77a0fec1715cc74

    SHA512

    2d49da4b022dde94b5036f7f98b3be4818be4447d862a0e0962abaf1585c7284e93bed8c11839bc0a489a598276ead8af0fd5703751733918b10236fdef7b0fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
    Filesize

    240KB

    MD5

    c3276286221933e0d85d76e7d5c76e8f

    SHA1

    f99203c4d63efae971ef29f6cb3d8077152f2687

    SHA256

    3ee5f1956ce96a5bd4349e9a5e6174c4b4da179b8635154340f92f1d7672a179

    SHA512

    b2484a558e8d07aac750f81a3ba1b08ab3e6115acc193b5bf95fcac5d18820406583332a3aa420c088537e056142b658dbc97e4c10bd32db6414307b6438a0d5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
    Filesize

    1KB

    MD5

    48dd6cae43ce26b992c35799fcd76898

    SHA1

    8e600544df0250da7d634599ce6ee50da11c0355

    SHA256

    7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

    SHA512

    c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    d4f4db261d84899b506a43bb9cf60690

    SHA1

    05a27fcdcf81499a2ef3407855a10473e38eb9b4

    SHA256

    078793cb90b9be28fe41edf7865ff57216b791f6996f64142dfdcf7faed43ddc

    SHA512

    8aabb5aa2e5eba8cc2c755c7e5cff41a0dd6c863223e1889a6aa82a4c4b7fdcc2487301a1bd7961590f0cd6d92488267a0a64d6e4ee12152ce2c3517776a1c0f

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    72aedf070f1c71cd8f74f2f59d01e8d4

    SHA1

    541c608293f5884abe33c862983963ac361c8999

    SHA256

    caed7f8d591da238ee8a0ba2f9831ab37eb60efa9aab98a11313a69d7512b95c

    SHA512

    842cd81eb650d1f64724c09dd7e392560bdce7e5e2461caf444a05930e698485247be7441b8249a38bf11d8455c5503faeee57071257644d2b86c92dfc694ca5

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    a9bb3b927bc8fc95bf57c7e9fb53e982

    SHA1

    0eca7c372bc8d6c591d10ae1c4e8fcf570f71a72

    SHA256

    2e75af86cacb11f9bf122f652ea8f6c2b54d73aabccf37ec00ba56c8a1782cbc

    SHA512

    afc374e6e731ca8a357beb4e973ad701b14be58e5bdcd6149d1a23bc14292dc99784e8b5a99f041572e1474ffb0ece34f4f485c37dc83496055ed793634ce644

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    cb532e2367e5c127064ec4a3f4f1736b

    SHA1

    b192dcec8022e406e7175f1f731562df1c28591e

    SHA256

    aa94f53aeaa74cd1b003d49d69603fbe52fd563cfb50690d907351c7f8856ccf

    SHA512

    efb580749ecc6719c9a46ff81cb4eb30c662e12513e3cae49e5e30570105b1de643d58e22c7d05441848b3b149c514ad69de7060089639d6fc8eba7fd9feaaf9

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    0ce1252e1f204138a24942905bcb6dda

    SHA1

    dd7a7e29bc7c1d4ea040f52a1b4cbb7537d7ae83

    SHA256

    7fc1d9ab5221449a48c76fff850e1b654ea04338fa6c2d462a1c616c4f5ff6ae

    SHA512

    8d1105a6cd4f794648bfad47889b77caaefa66f262a1b3ae0caafdd7cf688b192d1a52c9ebf109b41f679e81c04cdeec14995c510d76fd90dbb9099281de4ff2

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    71e80488e35dc1d08abbd0d19f6f5703

    SHA1

    807607e8ad0d2a004b9cc7c414f861162fd456ad

    SHA256

    7e6960bc528ed59767cd79c0eea348790d3440198e98aa74d879c50a3b93da4b

    SHA512

    edb51bf6ded580cf9f7fb32b97d15cb14e2af061d79ac62039d90d1df12516849a0f58d75314a65e4fe7fa929d568059517d381cb4ad0708ab3b68d785deee8b

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    11e886c58af0b3d8fdc3352eb54722fa

    SHA1

    bc4141dd8a71ef835646b34adc23a528c1330c61

    SHA256

    427c0cd0f107a9f59d1d96ae7a954bfd32bc922e5d2c14d3d5fc0b5d7733b421

    SHA512

    a64ccce3444e83513c1750409ba668dd2e8d937d7252e0c5dc5e614b59da3cc9ad325c26b4a5151307604c9b54e745922943359c2579245236db96d1fda9cc8d

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    a339b7e0ca470ec5017053c3ed28dfe2

    SHA1

    a8003c2c9f6b3797c35d9eb5b95b803e563186d7

    SHA256

    0b82adad8918544a47d17fe24beedda09752a000748ebe0abb582ac6bf4d2009

    SHA512

    7903d56c6b48db1a946dfbbf80e81317fcd7e375b94517d6372c4231fc7d4afadd02b44e545f2a92e6a6bec5d61c47339898a41f8cf1deae2c25e9475e412a73

    Download Submit

  • memory/484-206-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/484-201-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/844-179-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/844-172-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/844-177-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/844-173-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/948-263-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/948-268-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1276-192-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1276-188-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1608-309-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1608-304-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1636-250-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1636-261-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1656-292-0x0000000000390000-0x00000000003A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1656-295-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1656-290-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1748-323-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1748-318-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1848-122-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1848-118-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1848-116-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2060-277-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2060-284-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2116-336-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2116-331-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2756-195-0x00000000003D0000-0x00000000003FC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2756-1-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2756-4-0x0000000000401000-0x0000000000427000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2756-130-0x0000000000020000-0x0000000000024000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2756-2-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2756-486-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2756-275-0x00000000003D0000-0x00000000003FC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2756-134-0x0000000000401000-0x0000000000427000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2756-3-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2756-113-0x00000000003D0000-0x00000000003FC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2756-0-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2756-302-0x00000000003D0000-0x00000000003FC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2756-186-0x00000000003D0000-0x00000000003FC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2756-245-0x00000000003D0000-0x00000000003FC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2756-316-0x00000000003D0000-0x00000000003FC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2756-114-0x00000000003D0000-0x00000000003FC000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2788-137-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2788-132-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2788-131-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2832-361-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2916-145-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2916-151-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2916-149-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2964-163-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2964-159-0x0000000072940000-0x0000000072A93000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2964-164-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download