Overview

overview

10

Static

static

3

LXWARE.exe

windows7-x64

10

LXWARE.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2024, 12:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LXWARE.exe

  • Size

    1.8MB

  • MD5

    94b2e411174444dae22c34b490def43b

  • SHA1

    55a10f1e0b8ddd5d63441b20c9dde1d827bb2b50

  • SHA256

    4850c62dc647f3e55ccc08d71be08ef5b6b3912f75224ba4e869ce679f65256f

  • SHA512

    4bb3121607db54f8465f7efca9a9a4af0a683790aa6949166ad13bfd83976666ca083fa762a521b0f19222b04068b1900888cd3d9d0e1574469dbbae438015fb

  • SSDEEP

    24576:PFOaINhmeXmWash4zBqnTzDYTvZPJo60OegX7Ao6naO82rYudrgZRMxMmABlNG4C:tyhme2JzB0zD+0Erv6naSsudkuX5l

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LXWARE.exe
    "C:\Users\Admin\AppData\Local\Temp\LXWARE.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:972
    • \??\c:\users\admin\appdata\local\temp\lxware.exe 
      c:\users\admin\appdata\local\temp\lxware.exe 
      2⤵
      • Executes dropped EXE
      PID:3676
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1568
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2232
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2620
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:232
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lxware.exe 
    Filesize

    1.7MB

    MD5

    80c94f48246b7bc6d4b529b8ce2ef60d

    SHA1

    4274c7ed8a61f79b74a6e12016f3fe7c42004fd6

    SHA256

    d6ced59e42951178f42c14777fbd7f58b0fca54ad1debb5001a17082d7abc303

    SHA512

    a4dfb04bd1e38b3707ad2f646653c22003529c3bfeba36295cea43872f50a43573f1300c4c21525a768d35936a20c6beeb06732338cb9caf7976d215a0f8f4e1

    Download Submit

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    ee91275a9a4b89e03abb8ad8db8c0e8d

    SHA1

    30bfd69a76d7512111a6d8ca22223c9694085a6a

    SHA256

    ddbec8a05f4c96b4c5176b1b0bd94d5a5baea1892a8f522a26d2a489a8038270

    SHA512

    3860767e169fbb0df082e675a1463fc6d3d90ac49367e367cfe11f9b2c0d85cce27612f72d6049c15074b68c37b0a649de91d6080961031a199bfad5bd1dbd52

    Download Submit

  • C:\Windows\Resources\Themes\icsys.icn.exe
    Filesize

    135KB

    MD5

    6e315e9f7ac384c0ac5cfc15d2994c2f

    SHA1

    9f4efaa26be24a93bab807b43105c79609dc4dd0

    SHA256

    5c0c44bcf004a8fc773642294c39f4b82e077a9bd99bb16400b10d458b509f8b

    SHA512

    26610090e4aa9d5dd6c945486ed7a3c41d6c391463f5e7d349b5eca0bd405d4023f484621a111930c8c88a4923e119ebf51a6ba740ad9bb7097e9db0b36eb35b

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    d78c6a0b991149d2cf39282d0dfe98ff

    SHA1

    7fb16fd65fa8de2be94eaebd6644238671e1dcea

    SHA256

    494828540a13b767e6bb8cd482ff588c6792f810ab7e36455a22d3be45bb4526

    SHA512

    1073adf2583dd34520f1321e03594ec3ba4528684a4433c19e5b2e045fb1f552d57139dd90482210fcc23d253151281c7b561609d7742b2a98614612b0e2dfe7

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    d2539681be5d13fe305765a063bb29e3

    SHA1

    fb85b079ade61e5313e3480137aa732a2962c82e

    SHA256

    15a2f69fb459f699829a04b4d29dd69e26b0d683f109589374e06eaf2ccd2b85

    SHA512

    161273279aab4dbf5d5377a00a6de9f490f9e61c077737365ace2dc13d138b17150005dcad26148cc8b070d04d9a2168dd70727c4dcface43747e77d416ed185

    Download Submit

  • memory/232-48-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/972-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/972-46-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1092-43-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1568-44-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2232-47-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/2620-45-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download