Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
20/09/2024, 12:37
General
-
Target
3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe
-
Size
91KB
-
MD5
c03138918027d2c28e7eeb956167e880
-
SHA1
a2b19416582fd4409b8b824993f1684b0112feba
-
SHA256
3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406
-
SHA512
adb5dd9636079f8cec7ab3546585d39e12ac3d929478a8e9a1eb7023f46b6e933054ab63b9e5ea4d86f96970d176eb023d0d35b1a7b7a3bc51bb9b1683d76c1a
-
SSDEEP
768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3Imu/3gRYjXbUeHORIC4ZO:uT3OA3+KQsxfS48T3OA3+KQsxfS4C
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 7 IoCs
-
Modifies system executable filetype association 2 TTPs 13 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Drops file in System32 directory 6 IoCs
-
Drops file in Windows directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Control Panel 4 IoCs
-
Modifies registry class 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
System policy modification 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe"C:\Users\Admin\AppData\Local\Temp\3a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
91KB
MD58a844605d244edf1bcf9ac2e1d4f67e8
SHA1b72f8208f17158bbe5998aa7a93dfd5dfcd57526
SHA2567becc16aaf7a9a8242885585d6f25db9ac8ae426683e77cdf80020dc84eb31b5
SHA51203b89443c971c1ae0cf1e19030729c33cc1301d5d5101f2915dded089205706feeaf2dfe061f61dea2f95a84e4099be99c00e0dbbffd5016c499ba4c21f68872
-
Filesize
91KB
MD55ee36bca6f86be0b9291b81a2396bbca
SHA10f6e9bb1fc56ebbc3228cb67c43e159fb59cb6ff
SHA2563e7ff460f46263125afcc75c22522bb8de3718b6a5f4435cdd9ac8c5f4eeb425
SHA51238e01caf4d35da71273b04a13326ff93fbe8ce4f6afc1659a5aa438ebc33c6fd86302642007416bbbb3281a5ed86af487e69b0544eedfda3454f03c852f4efe4
-
Filesize
91KB
MD5e84c84c7ef50f561fbf41318d26d54dc
SHA1306a08f6d657ce1bcb913c2f3d3242ef7564bfbf
SHA256bd942450edba4d9d59af636bf58b02d1c87470c2dacc747c96a2cd8457f00c45
SHA5126505b7ebca75b2fdf43a2d0f16bc3d5e9f3b54d1dac815ce25162737b72b22765a5df6c4eaf416c290c6c6ea3ec5d9885d568e0bb9feecc41de7d76df419e493
-
Filesize
91KB
MD5c03138918027d2c28e7eeb956167e880
SHA1a2b19416582fd4409b8b824993f1684b0112feba
SHA2563a670d2850654726b2bf17fad1a666887db18425d6093e22c9e7d35117c87406
SHA512adb5dd9636079f8cec7ab3546585d39e12ac3d929478a8e9a1eb7023f46b6e933054ab63b9e5ea4d86f96970d176eb023d0d35b1a7b7a3bc51bb9b1683d76c1a
-
Filesize
91KB
MD55f9fea39a0583783e6e69aa428c372a6
SHA1a7af1dfba95d749aaf421bf71b83dd4ca38eb382
SHA25636fbd0c3765f3c580fad2a3528825675c4276ba3a121d4fba9ce09699a3de487
SHA5129311313769da7d09cf0486733e746c1944a8d0b5d2af99b6886e668990e7bd8bfde44ecf97a9d0f433231c25408ce192b7e25ad4b48bc2123f04ec9b29d660be
-
Filesize
91KB
MD5352e388085b6470f86d1d39f4fbc16b2
SHA137403ef3e0b4a1efd8895057c1df4baae49a14d3
SHA256c27664716d6c89ec4697c2d29a54fe60408de8f9a7ef0b1ac6c82f1c67c35248
SHA5121534d88b7ddd856729a543b6161d169f09e15a345859fd7b7a509841bb7d04751eb16bb9fb60e910dac2fc8a80e57f6982a0f983119855828bc682d79b1584b1
-
Filesize
91KB
MD5bfd5317f226b6df8661a51b1bc4c97dd
SHA1408fe5cd061c1949f5e53ce31d711298496e74b0
SHA256e12609e36e3a170f8bfb900101a92e7ee5be3549e9b63652d2f0a61ddff252b0
SHA512227634d9bff6fb538eecd22717c13dd8f894b62b28dec560b9705d3b943dc9d837b18228510e88d3028e5da5185d60a66a6554671bf8efb0cd059d6c05d585b0
-
Filesize
91KB
MD51268f5edec5620772c28cc9c99f28213
SHA12ac426ae5e3a87e745c528349b7bab5e595f53f6
SHA25655afa89c955be95051c23890bf0ab5ba2468e561fe656096c6cbf2636c6de33b
SHA512389cd354aed2d5c178d649067cd827dfd70481d6bf122d0b1616a99305974c0e304c0ea1e9ab3761ced1c0ba90458880f27a86f705c5146aea270243efa9a4a9
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
1.4MB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
1.4MB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
176KB
-
Filesize
1.4MB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
16KB
-
Filesize
176KB
-
Filesize
16KB
-
Filesize
1.4MB
-
Filesize
176KB
-
Filesize
176KB
-
Filesize
152KB