Overview

overview

10

Static

static

7

040293257d...0N.exe

windows7-x64

10

040293257d...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    96s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-08-2024 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    040293257d37e0654993cfc32f70aa10N.exe

  • Size

    90KB

  • MD5

    040293257d37e0654993cfc32f70aa10

  • SHA1

    c64d7b3b768b83fb926d35c72862613fb55f7da9

  • SHA256

    e4fcefeed3141bb3e55e666a8fe86652977df67933a515a0b6b4373892a4d0b0

  • SHA512

    7e9e4147d1bc2c762e09ccedaaf45b36fefdf9284a306ca81459b02c8b2525cdab3c867f0e1048921e9005e29c9286452ac70f988a93f3880a948f50a0054d12

  • SSDEEP

    1536:XRsjdLaslqdBXvTUL0Hnouy8VjpRsjdLaslqdBXvTUL0Hnouy8Vj:XOJKqsout9pOJKqsout9

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\040293257d37e0654993cfc32f70aa10N.exe
    "C:\Users\Admin\AppData\Local\Temp\040293257d37e0654993cfc32f70aa10N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:464
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4104
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3896
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:208
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4604
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4224
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4848
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    90KB

    MD5

    d7329391acc158892e40954bf59d345f

    SHA1

    b751f623f471bcde8c6aaeec521c2916ee7e7fc0

    SHA256

    8a358137e108e60c94018f90f82b9cd22247a841da939f4d2b2169c164bb806d

    SHA512

    626f6aaf4d41960d9eb18e42d1669f803cabf185104f3d70dc4db3e2ea63a135433aff8fcc561fc7e9d5dfe28316f946b7ba7eccf11c03ff77accffc63ef7be0

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    90KB

    MD5

    157e90646af0893cf0479f9b67a99a20

    SHA1

    82db27f87b3dfc5418ddde13ba91ad7044195dcd

    SHA256

    d1eb2b856a19b6a40f7f2ad29dd17e8cd1da76989df6fa1213a256b81f127913

    SHA512

    49508ab3d9da551a8102e4e4c897503743d252b6ca24feb5fa9d291e5cce59019cacf480f268de124b3b4dd7fa9a46edb0f014274cc36048c6a5f3ed7aa46971

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    90KB

    MD5

    b3b20b5eba14b3e4e6841dca5222a266

    SHA1

    10d4e8c7e44fbcb5fcd59631b0314aa78d2d8975

    SHA256

    ec6d9831bca08f35ce571431f09ca647ffd5b7f892dbd1623ad1768c235c7939

    SHA512

    8be137db999464f901c58678d78b00041ecb5c7502db927fa3005e26b42647fef11d199d7e6694b229e9998ba760e535ed32d83a7009ba7cab688dced743393a

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    90KB

    MD5

    7ca2451d2aac1f1d42895c22dbe8576a

    SHA1

    0b2b3c2d0c840dec0a924eab8b17513397cc0d1f

    SHA256

    07aee95ead953f725d5a372c0977d159d67a0b2540bb30655cfab3a838010f23

    SHA512

    8629938b1c182c74b3afffcefd1560f998402ba2c9683d7b6f45545bfabb1f3c33cda982bebb188d6502da8d6234ec11c99b6ce2482abae13bfefc154ebbd2f3

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    90KB

    MD5

    b0575eaf90cef71443ccc03bc494b0eb

    SHA1

    971576b02e5cebbb31df8f87915a985b4f0c4509

    SHA256

    1b0b84726104d95b0483428cf7c1ae7f6038b3a9e311d67cd05850a3d8b66733

    SHA512

    54d858954d2a1f3d61a02ef4bb350c6559383feead3f2852f46412c7d2e1e660735a0ee373c9f6a9e52773cdf46aa4af99fca11469648fae1779763e06c23da8

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    90KB

    MD5

    040293257d37e0654993cfc32f70aa10

    SHA1

    c64d7b3b768b83fb926d35c72862613fb55f7da9

    SHA256

    e4fcefeed3141bb3e55e666a8fe86652977df67933a515a0b6b4373892a4d0b0

    SHA512

    7e9e4147d1bc2c762e09ccedaaf45b36fefdf9284a306ca81459b02c8b2525cdab3c867f0e1048921e9005e29c9286452ac70f988a93f3880a948f50a0054d12

    Download Submit

  • C:\Windows\SysWOW64\IExplorer.exe
    Filesize

    90KB

    MD5

    65da409c15295849e2d650305df54e2a

    SHA1

    5695d2f4c916e7ca0802e3d3402e6fed09b51483

    SHA256

    f7637db6ebc59c67546e15a94c627efb34e635f1c7cc6c1c0de2d095b2053bfe

    SHA512

    7767beec2aaa7a37dec7ade9e37588af1301b36d9cb8287b537e29b7d1b640774e48296f479b85369ba070acbebe6d4fd5329a69d703986ad7c93ae2d693a0c6

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    90KB

    MD5

    c9faeaa44e9cfc4974294e719ea996be

    SHA1

    bd4607002c0ffce3df28ce85d753309f279d1e1a

    SHA256

    f5860aea92ae5f9666585b717e21be7102f843b6782232429ccaa38cb48efa40

    SHA512

    fdc15b6ae9904d9933b498d5ed93501142c5627ec6ec7e0e89cd2c1b0e0df030837fc2c69b8fb295e10dccd1573decd8276d505271c836ab1a16c78fc44d43c8

    Download Submit

  • memory/208-121-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/208-124-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/464-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/464-153-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3896-117-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4104-111-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4224-137-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4604-131-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4848-144-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4956-151-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download