Overview

overview

10

Static

static

7

e48de6bb66...0N.exe

windows7-x64

10

e48de6bb66...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20/08/2024, 17:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e48de6bb66ca9a8972415fb6639ca9e0N.exe

  • Size

    272KB

  • MD5

    e48de6bb66ca9a8972415fb6639ca9e0

  • SHA1

    db7c7241cda82bc1ec5b522e435c8dcc3ff75ef5

  • SHA256

    d0388706906fcbb9f08af3359df77ef82f8a420a408e70fc4f9efdbb19bba291

  • SHA512

    4e3f005d7111493604eca954ea98146034fd1238966f33129f77fbf6122479f8c16bd93f69da8666f979e8bf2885bd75490ec9edf090827b12c122b954b6ee53

  • SSDEEP

    3072:7MBGBT753QvRgWgMlIx1ZiXjb6aEF6D0NM9voeLNZ2j8Cx2:Yw75KRgWg4aAXjb6aEFfooeLNZxC

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables cmd.exe use via registry modification 1 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 9 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e48de6bb66ca9a8972415fb6639ca9e0N.exe
    "C:\Users\Admin\AppData\Local\Temp\e48de6bb66ca9a8972415fb6639ca9e0N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Disables cmd.exe use via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Modifies WinLogon
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2128
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 1412
      2⤵
      • Program crash
      PID:1124
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:2040
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2852

    Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          4
          T1547

          Active Setup

          1
          T1547.014

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          2
          T1547.004

          Event Triggered Execution

          1
          T1546

          Change Default File Association

          1
          T1546.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          4
          T1547

          Active Setup

          1
          T1547.014

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          2
          T1547.004

          Event Triggered Execution

          1
          T1546

          Change Default File Association

          1
          T1546.001

          Defense Evasion

          Hide Artifacts

          2
          T1564

          Hidden Files and Directories

          2
          T1564.001

          Modify Registry

          10
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          1
          T1082

          System Location Discovery

          1
          T1614

          System Language Discovery

          1
          T1614.001

          Lateral Movement

          Collection

          Command and Control

          Exfiltration

          Impact

          Inhibit System Recovery

          1
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\wininit.exe
            Filesize

            272KB

            MD5

            e48de6bb66ca9a8972415fb6639ca9e0

            SHA1

            db7c7241cda82bc1ec5b522e435c8dcc3ff75ef5

            SHA256

            d0388706906fcbb9f08af3359df77ef82f8a420a408e70fc4f9efdbb19bba291

            SHA512

            4e3f005d7111493604eca954ea98146034fd1238966f33129f77fbf6122479f8c16bd93f69da8666f979e8bf2885bd75490ec9edf090827b12c122b954b6ee53

            Download Submit

          • memory/2128-0-0x0000000000400000-0x0000000000444000-memory.dmp

            Filesize

            272KB

            Download

          • memory/2128-1172-0x0000000000400000-0x0000000000444000-memory.dmp

            Filesize

            272KB

            Download