Overview

overview

10

Static

static

7

ebcf85d360...a3.exe

windows7-x64

10

ebcf85d360...a3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 03:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ebcf85d3606c5c9acd6fb8f8a31338640e429dad236809daa4d138671e2533a3.exe

  • Size

    91KB

  • MD5

    124dd158fb485bd536ab348c936ae372

  • SHA1

    5d1b43ce2d772c0d91a91d68caee58e03434a761

  • SHA256

    ebcf85d3606c5c9acd6fb8f8a31338640e429dad236809daa4d138671e2533a3

  • SHA512

    4d23561cbd2f81a572f5f18f51058534acc59c0557da6b3c05f4faa3a0017bc3eb491de654b7b734ec8c0adb8935159e1ba11d7e3f987bd83b1fd79372cb9068

  • SSDEEP

    1536:XRsjdLaslqdBXvTUL0Hnouy8VjoRsjdLaslqdBXvTUL0Hnouy8VjK:XOJKqsout9oOJKqsout9K

Score
10/10
discoveryevasionpersistenceupx

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 20 IoCs
  • Modifies system executable filetype association 2 TTPs 13 IoCs
    persistence
  • UPX packed file 32 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Control Panel 4 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ebcf85d3606c5c9acd6fb8f8a31338640e429dad236809daa4d138671e2533a3.exe
    "C:\Users\Admin\AppData\Local\Temp\ebcf85d3606c5c9acd6fb8f8a31338640e429dad236809daa4d138671e2533a3.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Disables RegEdit via registry modification
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2260
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2552
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1064
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2876
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:940
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2056
    • C:\Windows\xk.exe
      C:\Windows\xk.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2168
    • C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2136
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2472
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1852
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:776
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1292
    • C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1784
  • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

6
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
    Filesize

    230KB

    MD5

    755b1fd2f65abda4d9d8438fdd276cfd

    SHA1

    1933174cf6b845a500a2a468ac56fec66e79515c

    SHA256

    9a6454ef32dbb80b74bdbacdc30ca2bd79051af29653e697da71ea3f293e88c7

    SHA512

    b6542c614f4b49417f58af9bd6353d5fcb261a811de6d571dc3e6ae68268f90bd516df39b1762ae6f7175507d6df2c401db5f8f04deded9938a63a34a5e9fedf

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
    Filesize

    240KB

    MD5

    29093a3e2bf92b5edf97dcb1d9eb643a

    SHA1

    96dc7811eb07d6fa245bb96b2a20fc855a167e70

    SHA256

    a59f1f1d046fd6f6bf7874f46e8f9deefbd9f1a97274ad8ac82f77478f645e11

    SHA512

    537af242adf916ff9515644a94f521b9fb8ece31ce7a5a0dc469aba731dabcf25cbc8713be1a29ab3432d2738599c4b0a7f52768ed02ee87b9fb35a43a837975

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
    Filesize

    240KB

    MD5

    60b5ae1a86d8cadb92a81201b337b7d3

    SHA1

    21b1371fcdedd9cb894f16575ed269c5e8ed5574

    SHA256

    b39b29b4be4d738ddc0bb6d402166487b2bdb9aea344ea4d98fcbf5da926502a

    SHA512

    2158f70df9568b7d18eb17fcec6ce92ebdc42df3a8a9b39c405def38f151d6fbeab16fcb2d0687e3b190198b9ab8adbd153d1e8a22ecc59b3296c15c95a43e21

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
    Filesize

    710B

    MD5

    93dc1e7e8e4dc4762538a84b135b355d

    SHA1

    bb5653cf46ca6b9dcf6925ed5bd9b7f75dc997b6

    SHA256

    fbaf3df6ac17055ec9d5da6aadd6377d3f1651157107aeb86f5a9d51419b673c

    SHA512

    4516d55e32320c75e448724430afc4d723a5db0edd5279acd013195c59f993f9f0c0306099295bd3f8173d63822aad1de4d89a589e086234e8217ba439c70b5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf
    Filesize

    1KB

    MD5

    48dd6cae43ce26b992c35799fcd76898

    SHA1

    8e600544df0250da7d634599ce6ee50da11c0355

    SHA256

    7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

    SHA512

    c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

    Download Submit

  • C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    eacd5b7d8f70bde368a3f1183798f756

    SHA1

    b8dc313c0b34766a8c520e2f098821e733fbb15c

    SHA256

    1c58d9a33f5fdc8c87d8d53258a3596f29b6cae7019548e60d0e9fcb920a28a1

    SHA512

    2e1236a1f362984559cdfb345aeb13a28789f2bbd17d4790c14bdb76527fff39525a41a89c3023ed9d60f66d588ec6edccb46e47886fa37bf9e22dae76781c42

    Download Submit

  • C:\Users\Admin\AppData\Local\winlogon.exe
    Filesize

    91KB

    MD5

    124dd158fb485bd536ab348c936ae372

    SHA1

    5d1b43ce2d772c0d91a91d68caee58e03434a761

    SHA256

    ebcf85d3606c5c9acd6fb8f8a31338640e429dad236809daa4d138671e2533a3

    SHA512

    4d23561cbd2f81a572f5f18f51058534acc59c0557da6b3c05f4faa3a0017bc3eb491de654b7b734ec8c0adb8935159e1ba11d7e3f987bd83b1fd79372cb9068

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    5be297bf5c8e61ad42c0396ed634a43f

    SHA1

    4c69758640cdc4c470b6ec230121aa4e46212647

    SHA256

    bde39c0d2ef39336f962a766008734f566ade7b8b40084835b25fd480abb5fd0

    SHA512

    9c0f40581a454cd1beec9ea72863f4252974a99f0d8a9ea1873892aba9ec505e92d2f67a94be1d6f0a1b2978cb2de1cc50f13219820a0bd26bab0bf4ece14f3d

    Download Submit

  • C:\Windows\xk.exe
    Filesize

    91KB

    MD5

    8fd8d93567f69bdacc9e59ce0b43cf03

    SHA1

    06b3b06af8dc30131812460fa1f6d97938d21ff0

    SHA256

    f6d38b6ae6f90482b7a7aefe4d9c2ee275126015aafdb4238cac0e8a515f5296

    SHA512

    f443ae585d8afb060b2636261d4cf5e9c50916fc32a3f98364cd9ad95111c103a344ba556d4261d8c5078898bfbdcda901753a3279a9d0472ec67cdd5b0c11aa

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE
    Filesize

    91KB

    MD5

    de2a437d5f5806b57444d11eb6475dcb

    SHA1

    562366847d439577e59afcf0fbc14630df9229bc

    SHA256

    59155138c3375022bdc082a53e29a3a35a38c70719515eb6c6f9be2553df54f3

    SHA512

    749a92c0e632225f8b7cf29c8aec42cf022f7b84e2d3dd5fa9e7eeb7a0a620730b2301ffb8df15b687cc1fe660028b4cc24f9137b903ff156d222ccf28f320a0

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\LSASS.EXE
    Filesize

    91KB

    MD5

    c65d33fd211f08190bd080d53bf224c8

    SHA1

    3c44dc3586e5d0e42377b88cc06cc39ae007b362

    SHA256

    e7bba73e6cd3d44791f87eec279225d660f05a3732d169f54133228c0dc9d696

    SHA512

    eca4b8251352864d199b8c376ca3413aa8d44d7b919c66c4e0b9ba6c304018d3474306f64b3c556ef6140340f63f2614b30afa78d6fb71a36c9afa143b15c32d

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    c037be0f92b791c5836ae40faad70d6c

    SHA1

    ebccf9da7a9e7704f8d5a4d7f15cfb3984866a5a

    SHA256

    f8ffdd37cd371655141edb62839f2c3c8c18aca8719f0d253052c96c1d09f82b

    SHA512

    7284c54bc8e9cecb4ceeadc35e6fce92e93f17839526c5ce8c7e4241982e334de95d5e059691fad886c7d988b6f358e8d5b7b8bd2b54684e21aaa965ed9f5b83

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE
    Filesize

    91KB

    MD5

    08cfa23e57c01c273d6c45212c6ac597

    SHA1

    096b443202ecdd8d4ea6d4921923ec0d7d26f759

    SHA256

    b670bfdea451756928c98977bc77a402a01c5a60f2c13e25bb0bd840bd165dc5

    SHA512

    1c073a7f4b00720aa3930aa6c028a8533c4077ddda4cb928c49aebde63e9385521ad94e96518d8bac96fc7c0b604a5857c4565663228edac997941554a1ae5ae

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\SMSS.EXE
    Filesize

    91KB

    MD5

    a233011d6bea16bf9f84e2352fce1047

    SHA1

    233631b2dda63b2ae7be288d9f7ed5c5e238c046

    SHA256

    81caf2bd23e29067de6a98ea2602b3661d842bc19ae8a8be0e5f2f9be22812ea

    SHA512

    68c0ca700fb3ca28bbb88b2cb9c325e398fed88fe696b12a608547c795250945c05fa4a3409c0c77314cc31938e9572ce81c92b490be7fb34ed7c62dc936f658

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    35e6591b82cb4d34029b962acdcd69f1

    SHA1

    268446b6027d7657c86946b1d118c94ee29c24c8

    SHA256

    b9890ba402fd3f9aee669455820c0517a55a002e20021e0002b5bc3fed8d5c06

    SHA512

    cc639ab085f38d323e7804cd4bf8837bc94a9b2f194cb2fa6f44c49ca97abdf70969068469e2f17d17256a95865090d06d2b728dc3e7000ee73d1e9321bcc424

    Download Submit

  • \Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE
    Filesize

    91KB

    MD5

    dfa938699b7a3300630be574f4d6ad57

    SHA1

    51a36e75d6d523cf1014a6374e0872caaf192c81

    SHA256

    c43d33c96e2f0a6f75ee971b2c8309178a85200a0e8fc9a0a633c53decbfb774

    SHA512

    6601083d0b8dc17a224c744df72ad9b05a72e376e6d0abf08b71669e1175e87b51d35af3b65cd9d74d4ad06c45a2ae6a691728b10285f0377d2cd7196876a6e3

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    7626a4979578bc4314e2a86f40e9a212

    SHA1

    8e3db8aa87e06d4050e31622510493655e907eb4

    SHA256

    39772215ca3490611122282b4fe3fd369b98ebb618ef95afdf3652bb44446f22

    SHA512

    7a7517688577fe32c8635291663f1e1e178b3647b9de53c359922dc8113d6ea709862b961cc11ebd26bb875ece23eb8fd02cf4a2ed2d0fa3aadd7345f63545a2

    Download Submit

  • \Windows\SysWOW64\IExplorer.exe
    Filesize

    91KB

    MD5

    cfd4501bc7eb35d25c17d4f3620f4761

    SHA1

    11974479fd72b70f791830975e58dc1920fe5466

    SHA256

    b1f35dc633ad49412714a84357069a607e13db92bffc919617ae2ab15b132ea9

    SHA512

    135b3fbf057885758d2603a4a18e9a0e73f8e53c7efd10a2686edaab5fbecc3cbcad118c1a866ec686fa9babdfa5964d28ec45c5704e1ba04799febfa20bad60

    Download Submit

  • memory/360-316-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/940-153-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1064-127-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1292-280-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1292-277-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1784-291-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1852-258-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1852-254-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2056-179-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2056-159-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2136-235-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2168-225-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2260-134-0x0000000000740000-0x000000000076F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2260-123-0x0000000000740000-0x000000000076F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2260-442-0x0000000000740000-0x000000000076F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2260-275-0x0000000000740000-0x000000000076F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2260-215-0x0000000000740000-0x000000000076F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2260-142-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2260-143-0x0000000000740000-0x000000000076F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2260-441-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2260-0-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2260-122-0x0000000000740000-0x000000000076F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2260-252-0x0000000000740000-0x000000000076F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2260-110-0x0000000000740000-0x000000000076F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2260-109-0x0000000000740000-0x000000000076F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2472-251-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2552-115-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2876-140-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download