Overview

overview

10

Static

static

3

69f8eb1c80...0N.exe

windows7-x64

10

69f8eb1c80...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2024, 18:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69f8eb1c805f2f9cc2e6e4d4c1b24c40N.exe

  • Size

    45KB

  • MD5

    69f8eb1c805f2f9cc2e6e4d4c1b24c40

  • SHA1

    096f58f3ebb9430242f77532891badd52d5e8ac9

  • SHA256

    b3b71793bf76e57e5a5fdb7e8362fc9088419dbd9de2f6354f14f96b47751db4

  • SHA512

    56bc8d7bb034dd876436a2e89bdee13384a820095847da03d5bb5bf19904fc8127221aac8dd59e8bff4b5d53b5ded18881fc27ca1908cc9ec086d5ac56b450be

  • SSDEEP

    768:/mFQj8rM9whcqet8Wfb4JzRJwEIHU5U3rf12WmULgJs7DFK+5nEv:1AwEmBT4JzRJwEeUW7f12xULgJzv

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\69f8eb1c805f2f9cc2e6e4d4c1b24c40N.exe
    "C:\Users\Admin\AppData\Local\Temp\69f8eb1c805f2f9cc2e6e4d4c1b24c40N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2208
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4540
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2860
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3744
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2800
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:216
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3092
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    45KB

    MD5

    55aa4c026751a13fbdd047ff9cb4dacf

    SHA1

    d9d445079e00ceb881ddde88ec45cde27a487292

    SHA256

    a86496d3403578120497b84eb5d8b560396933f2da6cefe30a9a3b79849dfed8

    SHA512

    f2db684c3817ce0184863bf479560e9d9cf7ceae38ff29884d48364a71b22502d1bcf1a99f2ea60c42c12c53595ec16e863dbd2af99fdcdffad7d2ca5623823d

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    45KB

    MD5

    2e849ce1617fd2ca6dd8422ed5f6cce1

    SHA1

    721641660ef2a4e6ab31aa08418c009c40b86785

    SHA256

    cf303edd79dae147ffe0cd9f5f2aa7383b2d753ca8ce2304cc01769f839a5e9c

    SHA512

    b47cd6de179fba653956cfda3870a180462c4f19c192c693c17c82964db45a56611884a3d228f8f5becf6c95790714e4eaf7a0d26404c57a695ffce19700fc79

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    45KB

    MD5

    4bd6d1bccfbac0e59136f0103514e951

    SHA1

    70cbb527b0db172513c558731a14f05be85df03c

    SHA256

    0f21e7a8b7ca1755f9fc7367ad45d7cccae519232b0ee5f3b177097b04368c5e

    SHA512

    89ef8d3452966582ea95e7d69662a0ec7b1cb7f0cd053f6bc96e3f1fdd2824d24c168d7a6db1cf099a39868a874cd4215038baf0b8d0385d20da383d4675f58e

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    45KB

    MD5

    0923c0042f43e7c6c58ea717a766112a

    SHA1

    ec958baaa26cec9b0300dac9c5d0cbea1e946e35

    SHA256

    1ee2fd99845c362eb90672a4c0aa1463dd65c50707337c2214bcd748eb02e268

    SHA512

    038f13756a1833b0f258eda5415a6b16cef522ed99a5a8725c7b9b8a0e801b47d1c6f7b803e64ecd58122a0e39dc504556e6450c7c52656978d179305a81b631

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    45KB

    MD5

    69f8eb1c805f2f9cc2e6e4d4c1b24c40

    SHA1

    096f58f3ebb9430242f77532891badd52d5e8ac9

    SHA256

    b3b71793bf76e57e5a5fdb7e8362fc9088419dbd9de2f6354f14f96b47751db4

    SHA512

    56bc8d7bb034dd876436a2e89bdee13384a820095847da03d5bb5bf19904fc8127221aac8dd59e8bff4b5d53b5ded18881fc27ca1908cc9ec086d5ac56b450be

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    45KB

    MD5

    635f186b59a634ec3432db5686e50668

    SHA1

    794fa6ccd2e64417f0f5bbee1c42a869224860d6

    SHA256

    b17b69d115da5c86d71e5362d760997096dac77ec67f7db99e7f79bf78b3e357

    SHA512

    c0410d1691977aa179a2c635763ab3205fc6e5a1bfcf6f81ad9c68d5f2ce76117bd168de176829a51a04ad54a6157bb7ab0f42e11ce6d4b5935bf1ed281906f3

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    45KB

    MD5

    4cede0177ddf50b96ac811d0a6942e21

    SHA1

    54afdfadc15118fb5b635e985d600078e9714564

    SHA256

    a7a9aaaa3626cd0d8046444cfe319b99907fa896e4fe995c8c7adb14ebfe6c66

    SHA512

    17fcd914ca588d400547eda309e17255f1b8ddd4c797140307dba72aa9c11274d87f8144d6ec41e73c382e161f42c5e9b8a5387b9071a74a38a617c0cb7f43f8

    Download Submit

  • memory/216-137-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2064-150-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2208-0-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2208-151-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2800-131-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2860-118-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3092-143-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3744-124-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4540-111-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download