Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
19-09-2024 05:36
General
-
Target
737a4dd3fb8f20c4190e588383f48c3de13c4a7f97d4814d63da02ce4a8fd7edN.exe
-
Size
585KB
-
MD5
24eb147745e301d8c1ee2726de7ce230
-
SHA1
cc7a807ad415652bffcae48f4e78c79d12155912
-
SHA256
737a4dd3fb8f20c4190e588383f48c3de13c4a7f97d4814d63da02ce4a8fd7ed
-
SHA512
119afb5e5d77a83de7ee9337fa7ffdd36a28d93957d7f4a46a7f70ce04589456eb6bd3786d14220dc9c0902a5c370003e40da179c71c14fcbf146a9f7cfbc429
-
SSDEEP
6144:3eHwXUU5EYCTvaBjRjWrLJKuKnGML5Njcxmu3ijWrLJKuKnGML5Njcxgu3hjWrL/:3yMUusvalgg5Njam8g5Njagxg5NjagC
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 6 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 42 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 4 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\737a4dd3fb8f20c4190e588383f48c3de13c4a7f97d4814d63da02ce4a8fd7edN.exe"C:\Users\Admin\AppData\Local\Temp\737a4dd3fb8f20c4190e588383f48c3de13c4a7f97d4814d63da02ce4a8fd7edN.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\CIO0P3D\service.exe"C:\Windows\CIO0P3D\service.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\CIO0P3D\smss.exe"C:\Windows\CIO0P3D\smss.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\CIO0P3D\system.exe"C:\Windows\CIO0P3D\system.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\CIO0P3D\winlogon.exe"C:\Windows\CIO0P3D\winlogon.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\lsass.exe"C:\Windows\lsass.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Change Default File Association
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
585KB
MD5c2030a3c5c7c36896b4f06f5edd9373f
SHA1e4377ff427eb09475b66c7ffedd382421b4f2318
SHA2560c97863af3648d423b1f296708026d0fff9f0e4242f3af547eb0f529efadaf97
SHA5121633a958f0150a35fb72a064a3e115386f229101fcdf81a48af209740a37832129a5619e51da61c75a81fd256be8e71232c0d716dab501afbcee30aac47e9edc
-
Filesize
585KB
MD53bb0caa1cb504394db9cfbb6d8ba2500
SHA16b45be2c0ec6d881391d4a15b964d6eca70ac46f
SHA256f7e0e09c5f7103b9a127b05fbd8260d0afd857c366eef21b690b805ab20409ec
SHA5124fd1ca1d71cf4f6e8509de143737391528bd6e638feb07ad42a17304f8b00cee1d58ba472b0b1fb3aae5725822e88cb715f993b250235ba3219717a963c77c0c
-
Filesize
585KB
MD52baa08df0ec0b9a28ade5a72ac2a1e3f
SHA19e1cc2c4e6d3141bb69678f0ecc5ade0adc04df3
SHA256f6dab406aad953da0e7c1de2241e7da85c28977ff8ae14f2560cb238d611d98d
SHA512042ba8cca711a069415cad796739e19f3cb45d49fa2943ace9b7ba958a3830089e2fb99b9f75bb0c9f205b1196b198ff4320670adab861356b21586caa51a68c
-
Filesize
585KB
MD52bc2bc56e71dbc2e07f0504a91d01280
SHA14ee605bc962641af0ed3c93ee0d9b4bbff907090
SHA256012f8a59e326bf0db6cffa65c64ad00a0ddabfbf03eb4f9ab55ea30bcfbf4ef0
SHA5120b6b4a06aa581f4de8b3d8d21c9c2f3e9354295d359577676d1c98cf73e3f1216421e336ec94137e67a100a65dd442409641947f3817d04e4174689c72c94c45
-
Filesize
585KB
MD5d8ce268191197bd1e95659e1da16c0a7
SHA178b504e5c6d96a635a6582df263ac9bd92a26ba4
SHA25660528541051c92134cb7e76b3b8e672bf2b8bfdaf0989e6fc31d7f4ab217842b
SHA512066852194597550af8f7fea6375650e840a75bf524e94e3ebe2cdcbae963990fb3279928914068ce91d37a52f988cff14e787aa56f91add48983e0c09856f8a7
-
Filesize
585KB
MD5b114dd9b447cec60c254f909eb3e24a5
SHA13c0173151032b306ff320a64069f789d4bdddfeb
SHA2563e58f24a94c23cfb638702da15a9eb2485d3f8a1b4bf26dc4b2558d577f77177
SHA512cf39d965384bad9799b07ae7220730ba212481a4bfc7ec58922bbc572b33b9a06df2800f85a050f594cb16336c258695707e5fca5b921a5396680934af2cf358
-
Filesize
585KB
MD5a5ff371c0bdc54962c3163404089ac19
SHA17a32977191f93891ef277fbc1cf2f49892af8812
SHA2568b1f3782796c12d48ca93efb4b8bac6b01dd887fa63ed34463cbb0d78f48b627
SHA51289e6ce1a839df7ff176c9dcc52476623b51f6d40c53448d40f507ef05b6ab664978338222fb6a451b28d3f4f33f24bf58f174d2ec7534e3c82f201fa775e68ff
-
Filesize
585KB
MD524eb147745e301d8c1ee2726de7ce230
SHA1cc7a807ad415652bffcae48f4e78c79d12155912
SHA256737a4dd3fb8f20c4190e588383f48c3de13c4a7f97d4814d63da02ce4a8fd7ed
SHA512119afb5e5d77a83de7ee9337fa7ffdd36a28d93957d7f4a46a7f70ce04589456eb6bd3786d14220dc9c0902a5c370003e40da179c71c14fcbf146a9f7cfbc429
-
Filesize
585KB
MD5d7c2c79c05d5d7d20a5db6b42bbdf970
SHA185954e1246a6c7e156dddf0f3bb34d9227a68ac7
SHA25643ee535d4bdff4891df197c196fb8b57f49bb9cfb0622baa8f667255a52f8005
SHA512bf8c755f9d0a34d67ec212ea22f13ff29f4fcb9eb3607a8f04b7c83796c9d4f0fe7069fb9cbb8133547b1969c14664925bf2578bc8975101b47994b8e754ab3f
-
Filesize
585KB
MD529929b96ef976aabd323ff8ec343fec8
SHA1cff9fc10da29bdb3df464c855726f284c6c34947
SHA25685781c2760f37dde9121b57e7d0fbc856ee09dd3c78c2bd466fe60bc55984131
SHA512617086c66bfdd8132ac1ad35daebceb26e7c112f0b5f632487f19b098a87f65a06d99333de74b97c5b323f4b060728bb09f13c3c8b78206be0e5e137f06c434d
-
Filesize
585KB
MD59d40d627b1e9e05123fc67e84db2dc3c
SHA150bc514e82a975887c2b01d2d009af7a4dd7babc
SHA256b3205fe1c31dbd9df71e265a18871ca05ab9eedfc826d817bcf3f2f44d1b5ecc
SHA512da48f9e9288edf53df4d2e1badd9a3557c03d4f644b74bd532025658340c46c710f208ae08088ebaa80ddba3d7fa034a11c4370b31e6ffc8ce4cbe16318437b4
-
Filesize
585KB
MD562f49664891820067ada5588c63ae2ea
SHA1dabe08b5ab52c4269e31e43c8044affbadf7a550
SHA256c00c5caf0fd9a4af5dd09603ba6e1c81567b53e545793983c14ea84eb33fb5a4
SHA5127338d682f71b760b04c8090a211a1d4505c7fb0cd7087515cddbe2bea5132e9518785f3fa76a8a655242d37e9af3bbb7a1759ea58a1c9c3a416010beb57cb5e8
-
Filesize
585KB
MD5f6311241a9a44bfdfcfd06a23a7630bf
SHA14d72cc3b4084da760e4d91bf6a51f77feb1b7ca1
SHA2569f3c69da8dec75b54577358d2174e2b3d111d1f0eee1c6996bd4d99aee2d85d7
SHA51291e3aa275bacfc719280d7f39f698a4c1dbae84062a74be6e1954c2e1a7ef198bc1bd84855feab8d259d427d9610026f055778e488a8e163cee5763a6678a074
-
Filesize
585KB
MD50ec16acf58625232b93401f29f0d2482
SHA15da0b8821a37c044c8078f3ee2805b0dd2280428
SHA256c7d4593ff7a36a01ff5344087c62f37b8b717bc713d135c9f7a316612be65874
SHA5120e91b0d91d233ef555343800cbe66af7a7e721b2a45dac7a5245a5e8aa0e4e94ce47c7f6e003da0af435d46825c85085fdbdeece036d342c51419682895ef392
-
Filesize
585KB
MD56fed0418cd3492f0a033194c0bd2af24
SHA1564d137765801897f2841a6cb2b4de3d4ace9168
SHA256575a7a22b9105f31b9267153cbb91f323950e7cb9d2c0b1df87be2369c953032
SHA51222409346312b00c2540371a35568a6fe1eb2c665009a229353438ee9b5c39dd049bb923279037f2e2d85ac183501776f754d6c236516d8b8071ce7794a0c32c0
-
Filesize
141B
MD567407951529163b13373483841370be4
SHA1a069b38e545ec6ec9df1c74a341cf4463092816f
SHA256492901f28e28833cf63bfbb8eb6055fb7e2b23fe19b478314a66df09c9d10428
SHA51291918ab762bcd85e74f2a8c6c8088bb1ebf2b072be43678ea39a855c9424e2ca89c50da687598fa3ff0bbd5dffd04926067258087eacecd0c078efd9a999473a
-
Filesize
417KB
MD53f7eefaceb0a8fc4ad2a057ef3c3eff0
SHA1cc13f1a3db314b38bbec9eb61d81b449ca525ad9
SHA256b970b3eda2173bb208fb1d0f9c04e441b94ef21bd78bb53caaaba73f22f9192b
SHA512b578c5b650256793a18a94ce3fafbd7bf409ed6c6f1b1c93ade961931049b0269ab07c9d7269ffce2e07b54455fad139f2bed97f12214c7ecd3bb2150fddeb39
-
Filesize
585KB
MD5ba1c9b76a467e71ddca7a647d42bb3dc
SHA1daf35cd272236636e80cdd0732c898a2251bcc0e
SHA256f0afb52686f44267bbc9a0d3733b22378c9e56c6fc7d15094eff1fad9ef9139a
SHA512d6657b0f6c4aa0a3082ec54595a7ba543e5b2b0d04cf06c05eb4d6346bbbe15086c60fa01159a2e8349d73d1ed01e3b0bb44591de86c65cb2cfb668fd9a89452
-
Filesize
585KB
MD58ad504ed362e73725b16649b60d200f2
SHA141bd6b9f741c3e91091326fef1ad6010063bb66d
SHA2562552182b911a3d0cd50d5b755cfd2facee8d35c4aea15e908ca16291c06869e2
SHA512075f984f073ac34bfdfb88486268369d8e46fbb893d96c99ac9ccf43d592843d60b5e8bc8d8375d2c4baffb5831e7d5c7a1fb4d0cfa9ac28fee789ec1f2a5ed5
-
Filesize
65KB
MD58e6e31f8df128a746ff9a3a38f8f78c0
SHA1e4da9aa336eb7e254592e585b29d8b4e23f3e4bd
SHA256dc33796b634ea14ed80a492257f698d103a57e1a041ccab92945efa8201a65f7
SHA512eddacadcb86d8ead42185af5ce779f35dcbf262b2e12dc1cb816c3c5e35563201a839b861eb4a2cda472a5a27b2dfb76a0310d6eb94b49e9d5b58af869ef22c6
-
Filesize
8KB
MD50e528d000aad58b255c1cf8fd0bb1089
SHA12445d2cc0921aea9ae53b8920d048d6537940ec6
SHA256c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae
SHA51289ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116
-
Filesize
1.3MB
MD5c81946a7c7cf53e4ab8c4131e5c68651
SHA1e8a3f7ce6eeca78df1870681030af6a92d11aa97
SHA256c3c5474016661c70a9c6fcedf0d1aab67329d7fb150a6481690940ada0ff7b82
SHA5120764b6365fd2d4d72220cd6a13a5d09d1d244965b94658f604eb08142fe5dcce7aafb00cac877e11b9e959026bb005fbda3c3629e34b0fb804579048f96a4e98
-
Filesize
585KB
MD5f77c9a42c8d4e1be9ee67306febf2fff
SHA1976bdcf86d7b77da2294feaaaa5f2de6fb81573b
SHA2568d4c711d89058fbab8feaac301c71a50f3a560027a568a9a591bb86f2375b752
SHA5120d75b2181b56c4c1848f51023e3c6cc243705130435c4abb733be9b5fe72e3cba4d1115cd6fd1542436c6a8282caab6a774da1a17fded2dc568ade820dd282da
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
468KB
-
Filesize
468KB
-
Filesize
328KB
-
Filesize
468KB
-
Filesize
468KB
-
Filesize
468KB
-
Filesize
468KB
-
Filesize
328KB
-
Filesize
468KB
-
Filesize
468KB
-
Filesize
468KB
-
Filesize
468KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
328KB